-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GatewayTokenRenewer classes stopped being called with the 2.8.0 release of the jupyter_server
package.
#1339
Comments
I found the root cause. PR #1330 changed the way that token renewers are used at startup. Previously, the token renewer class could be used to generate the initial auth token, but after that change, they are only invoked if the auth_token field is already set. This means that if the If the token renewer ever returns an empty string as its result, then it is effectively disabled from then on. I don't think this is how we want token renewers to work in that scenario. I don't understand why this change was made. The affected PR is fixing type errors, but I don't have context on what the specific type error was here in order to suggest a better way to fix it. @blink1073 do you still have context on what the type error was that you were trying to fix? |
Now that I know the root cause, the simplest repro steps would be:
Then, when you start Jupyter and try to list kernelspecs, the requests to the Gateway URL will not have an auth token even though the token_renewer_class was configured. |
We discussed this in the Jupyter Server community meeting today, and @Zsailer suggested that the typing issue that this change was meant to fix is the type annotation of That parameter is annotated with a type of This suggests two possible alternative fixes to the type error that would maintain backwards compatiblity with the
The difference between the two approaches is whether or not implementations of The default value for the If that happened then the outcome would be (depending on scenario):
This means that neither solution is ideal; they both leave a scenario with a potentially bad outcome, but also that this scenario only occurs in the unlikely event that the However, there is another element at play here; if we go with Option 1, then any existing extensions of Given that, I think the safest bet is to go with option 2, and only call the token renewer if the |
Prior to the `2.8.0` release, Gateway token renewers would be run regardless of the value of the initial auth token configured with the Gateway client. However, that initial value could potentially be `None`, and token renewers are not required to support that as a value for their `auth_token` parameter. This meant that token renewers might be called with a value they do not support. The `2.8.0` release fixed that issue by only calling token renewers if the `auth_token` value was truthy. However, this introduced a regression because the default value for auth tokens is the empty string, which is not truthy but which *is* a valid string value (and, as such, is expected to be supported by token renewers). This change fixes that by calling token renewers as long as the `auth_token` value is not `None`. This is a compromise between the pre-2.8.0 behavior and the 2.8.0 behavior, and is believed to be the least disruptive option. This fixes jupyter-server#1339
Description
We have an extension for Jupyter that, among other things, configures the gateway_token_renewer_class value to be a class that we provide.
With the 2.7.3 release, this works perfectly. However, with the 2.8.0 release, this has stopped working.
I see that the token renewer class is being configured because I see a log message of the form:
... however, the token renewer class is never being called. Specifically, when I add print statements to it for every call to the
get_token
method, those print statements never show up in the log.Reproduce
I can consistently reproduce this, but the reproduction steps require a Google account. I'll see if I can put together a smaller, more minimal repro, but what I have now is this:
dataproc-jupyter-plugin
package from PyPI, along withjupyter_server==2.8.0
andjupyterlab==4.0.5
gcloud
command line tool from the Google Cloud SDK.gcloud
with credentials, a project, and region.HTTP 401: Unauthorized
errors in the logs because the token renewer is never being called.Expected behavior
The expected behavior is what was seen with the
2.7.3
version; the above steps would work without any errors.The text was updated successfully, but these errors were encountered: