Question about docs for auth - what makes jupyterhub-singleuser cmd change required?

[consideRatio]

In this documentation about enabling auth it sais:

  singleuser:
    # to make notebook servers aware of hub
    cmd: jupyterhub-singleuser

I'm wondering what makes this required? If it is, then the repo we build an image from requires jupyterhub as well - a requirement not presented otherwise for anonymous binderhub deployments like mybinder.org.

[manics]

It's required for hub authentication. Without auth BinderHub has admin permissions on JupyterHub to create a temporary user with token authentication for the server.

jupyterhub-singleuser is included in repo2docker images.

[consideRatio]

jupyterhub-singleuser is included in repo2docker images.

Ah, the failure I observed was on a minimalistic Dockerfile (https://github.com/binderhub-ci-repos/cached-minimal-dockerfile), so then this is just a difference for when repo2docker builds with a Dockerfile at least.

---

Thanks for helping me understand things @manics, I don't get it fully yet:

Without auth BinderHub has admin permissions on JupyterHub to create a temporary user with token authentication for the server.

Ah yes it seems that the creation of users is done when auth isn't enabled, which then btw contradicts the comment in 39980f0#diff-dfa1149c9b40dd3c7c372015a9fb7b9a68507e6fdc0246a9d521483f072d120bR71-R72. My understanding reading this code block is that the permissions needed are to read user data when auth is enabled, and to create users when auth is disabled (then self.create_users is initialized true).

[manics]

Yes, the code comment is incorrect, the PR comment is correct though #1544 (comment)

I've tried adding jupyterhub to the minimal test image before for exactly this reason, but IIRC there were some problems when using pip (maybe some missing wheels for a dependency?) so I switched to Conda. I think it's worth trying again though since it makes testing easier.