From 545a58d5ba4d84820d38c621b0b4a1f07d2f9d5c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:55:54 +0000 Subject: [PATCH] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/standalone.md | 66 +++++++++++++++++++++++---------------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/docs/source/standalone.md b/docs/source/standalone.md index c7773dfb..ad930627 100644 --- a/docs/source/standalone.md +++ b/docs/source/standalone.md @@ -2,28 +2,30 @@ # Spawning and proxying a web service from JupyterHub -The `standalone` feature of Jupyter Server Proxy enables JupyterHub Admins to launch and proxy arbitrary web services -directly, in place of the JupyterLab or Notebook. You can use Jupyter Server Proxy to spawn a single proxy, -without it being attached to a Jupyter server. The proxy securely authenticates and restricts access to authorized +The `standalone` feature of Jupyter Server Proxy enables JupyterHub Admins to launch and proxy arbitrary web services +directly, in place of the JupyterLab or Notebook. You can use Jupyter Server Proxy to spawn a single proxy, +without it being attached to a Jupyter server. The proxy securely authenticates and restricts access to authorized users through JupyterHub, giving a unified way to securely provide arbitrary applications. -This works similar to {ref}`proxying Server Processes `, where a server process is started and proxied. -The Proxy is usually started from the command line, often by modifying the `Spawner.cmd` in your +This works similar to {ref}`proxying Server Processes `, where a server process is started and proxied. +The Proxy is usually started from the command line, often by modifying the `Spawner.cmd` in your [JupyterHub Configuration](https://jupyterhub.readthedocs.io/en/stable/tutorial/getting-started/spawners-basics.html). This feature builds upon the work of [Dan Lester](https://github.com/danlester), who originally developed it in the [jhsingle-native-proxy](https://github.com/ideonate/jhsingle-native-proxy) package. ## Installation -This feature has a dependency to JupyterHub and must be explicitly installed via an optional dependency: + +This feature has a dependency to JupyterHub and must be explicitly installed via an optional dependency: ```shell pip install jupyter-server-proxy[standalone] ``` ## Usage -The standalone proxy is controlled with the `jupyter standaloneproxy` command. You always need to specify the -{ref}`command ` of the web service that will be launched and proxied. Let's use + +The standalone proxy is controlled with the `jupyter standaloneproxy` command. You always need to specify the +{ref}`command ` of the web service that will be launched and proxied. Let's use [voilĂ ](https://github.com/voila-dashboards/voila) as an example here: ```shell @@ -31,13 +33,14 @@ jupyter standaloneproxy -- voila --no-browser --port={port} /path/to/some/Notebo ``` Executing this command will spawn a new HTTP Server, which will spawn the voilĂ  dashboard and render the notebook. -Any template strings (like the `--port={port}`) inside the command will be automatically replaced when the command is +Any template strings (like the `--port={port}`) inside the command will be automatically replaced when the command is executed. The CLI has multiple advanced options to customize the behavior of the proxy. Execute `jupyter standaloneproxy --help` to get a complete list of all arguments. ### Specify address and port + The proxy will try to extract the address and port from the `JUPYTERHUB_SERVICE_URL` environment variable, which is set if an application is launched by JupyterHub. Otherwise, it will be launched on `127.0.0.1:8888`. You can also explicitly overwrite these values: @@ -47,15 +50,17 @@ jupyter standaloneproxy --address=localhost --port=8000 ... ``` ### Disable Authentication + For testing, it can be useful to disable the authentication with JupyterHub. Passing `--skip-authentication` will not triggering the login process when accessing the application. -```{warning} Disabling authentication will leave the application open to anyone! Be careful with it, +```{warning} Disabling authentication will leave the application open to anyone! Be careful with it, especially on multi-user systems. ``` ## Usage with JupyterHub -To launch a standalone proxy with JupyterHub, you need to customize the `Spawner` inside the configuration + +To launch a standalone proxy with JupyterHub, you need to customize the `Spawner` inside the configuration using traitlets: ```python @@ -92,12 +97,14 @@ creating a custom `spawner.html` page. ``` ## Technical Overview + The following section should serve as an explanation to developers of the standalone feature of jupyter-server-proxy. It outlines the basic functionality and will explain the different components of the code in more depth. ### JupyterHub and jupyterhub-singleuser + By default, JupyterHub will use the `jupyterhub-singleuser` executable when launching a new instance for a user. -This executable is usually a wrapper around the `JupyterLab` or `Notebook` application, with some +This executable is usually a wrapper around the `JupyterLab` or `Notebook` application, with some additions regarding authentication and multi-user systems. In the standalone feature, we try to mimic these additions, but instead of using `JupyterLab` or `Notebook`, we will wrap them around an arbitrary web application. @@ -106,55 +113,60 @@ without needing a Jupyter server to be running in the background. The different additions will be discussed in more detail below. ### Structure -The standalone feature is built on top of the `SuperviseAndProxyhandler`, which will spawn a process and proxy -requests to this server. While this process is called *Server* in the documentation, I will call it *Application* + +The standalone feature is built on top of the `SuperviseAndProxyhandler`, which will spawn a process and proxy +requests to this server. While this process is called _Server_ in the documentation, I will call it _Application_ here, to avoid confusion with the other server where the `SuperviseAndProxyhandler` is attached to. When using jupyter-server-proxy, the proxies are attached to the Jupyter server and will proxy requests to the application. -Since we do not want to use the Jupyter server here, we instead require an alternative server, which will be used +Since we do not want to use the Jupyter server here, we instead require an alternative server, which will be used to attach the `SuperviseAndProxyhandler` and all the required additions from `jupyterhub-singleuser`. For that, we use tornado `HTTPServer`. ### Login and Authentication + One central component is the authentication with the JupyterHub Server. Any client accessing the application will need to authenticate with the JupyterHub API, which will ensure only the user themselves (or otherwise allowed users, e.g., admins) can access the application. -The Login process is started by deriving our `StandaloneProxyHandler` from +The Login process is started by deriving our `StandaloneProxyHandler` from [jupyterub.services.auth.HubOAuthenticated](https://github.com/jupyterhub/jupyterhub/blob/5.0.0/jupyterhub/services/auth.py#L1541) and decorating any methods we want to authenticate with `tornado.web.authenticated`. For the proxy, we just decorate the `proxy` method with `web.authenticated`, which will authenticate all routes on all HTTP Methods. -`HubOAuthenticated` will automatically provide the login URL for the authentication process and any +`HubOAuthenticated` will automatically provide the login URL for the authentication process and any client accessing any path of our server will be redirected to the JupyterHub API. -After a client has been authenticated with the JupyterHub API, they will be redirected back to our server. +After a client has been authenticated with the JupyterHub API, they will be redirected back to our server. This redirect will be received on the `/oauth_callback` path, from where we need to redirect the client back to the root of the application. -We use the [HubOAuthCallbackHander](https://github.com/jupyterhub/jupyterhub/blob/5.0.0/jupyterhub/services/auth.py#L1547), -another handler from the JupyterHub package, for this. +We use the [HubOAuthCallbackHander](https://github.com/jupyterhub/jupyterhub/blob/5.0.0/jupyterhub/services/auth.py#L1547), +another handler from the JupyterHub package, for this. It will also cache the received OAuth state from the login, so that we can skip authentication for the next requests and do not need to go through the whole login process for each request. ### SSL certificates -In some JupyterHub configurations, the launched application will be configured to use an SSL certificate for request -between the JupyterLab / Notebook and the JupyterHub API. The path of the certificate is given in the -`JUPYTERHUB_SSL_*` environment variables. We use these variables to create a new SSL Context for both -the `AsyncHTTPClient` (used for Activity Notification, see below) and the `HTTPServer`. + +In some JupyterHub configurations, the launched application will be configured to use an SSL certificate for request +between the JupyterLab / Notebook and the JupyterHub API. The path of the certificate is given in the +`JUPYTERHUB_SSL_*` environment variables. We use these variables to create a new SSL Context for both +the `AsyncHTTPClient` (used for Activity Notification, see below) and the `HTTPServer`. ### Activity Notifications + The `jupyterhub-singleuser` will periodically send an activity notification to the JupyterHub API and inform it that -the currently running application is still active. Whether this information is actually used or not depends on the +the currently running application is still active. Whether this information is actually used or not depends on the specific configuration of this JupyterHub. ### Environment Variables + JupyterHub uses a lot of environment variables to specify how the launched app should be run. This list is a small overview of all used variables and what they contain and are used for. | Variable | Explanation | Typical Value | -|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------| +| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | | `JUPYTERHUB_SERVICE_URL` | URL where the server should be listening. Used to find the Address and Port to start the server on. | `http://127.0.0.1:5555` | | `JUPYTERHUB_SERVICE_PREFIX` | An URL Prefix where the root of the launched application should be hosted. E.g., when set to `/user/name/`, then the root of the proxied aplication should be `/user/name/index.html` | `/services/service-name/` or `/user/name/` | | `JUPYTERHUB_ACTIVITY_URL` | URL where to send activity notifications to. | `$JUPYTERHUB_API_URL/user/name/activity` | | `JUPYTERHUB_API_TOKEN` | Authorization Token for requests to the JupyterHub API. | | | `JUPYTERHUB_SERVER_NAME` | A name given to all apps launched by the JupyterHub. | | | `JUPYTERHUB_SSL_KEYFILE`, `JUPYTERHUB_SSL_CERTFILE`, `JUPYTERHUB_SSL_CLIENT_CA` | Paths to keyfile, certfile and client CA for the SSL configuration | | -| `JUPYTERHUB_USER`, `JUPYTERHUB_GROUP` | Name and Group of the user for this application. Required for Authentication | +| `JUPYTERHUB_USER`, `JUPYTERHUB_GROUP` | Name and Group of the user for this application. Required for Authentication |