Set Jupyter Notebook password in bash script through environment variable

Question

I have come across the following code in a bash script for automatic deployment and setup of Jupyter Notebook. There are issues when the password contains a #, as the rest of the line is treated as a comment (and probably raises an exception in Python due to lack of closing bracket):

# Set up Jupyter Notebook with the same password
su - $USERNAME -c "$SHELL +x" << EOF
  mkdir -p ~/.jupyter
  python3 -c "from notebook.auth.security import set_password; set_password(password=\"$PASSWORD\")"
EOF

Obviously this is not an ideal way to set a password due to the above issues.

I am wondering what best practice would be in this situation? Using triple-quotes instead of single enclosing quotes might be better, but still runs into issues if the supplied password has triple quotes. How is this situation normally tackled?

Answer 1

Instead of passing the password through a bash here-document, just use python to read it from the environment:

# Set up Jupyter Notebook with the same password
su - $USERNAME -c "$SHELL +x" << EOF
  mkdir -p ~/.jupyter
  python3 -c "from notebook.auth.security import set_password; import os; set_password(password=os.environ['PASSWORD'])"
EOF

Answer 2

You can pass Jupyter command line optionsenter link description here to notebook like its done for docker. The method is save as it will use ths sha. the start-notebook.sh script looks like this:source.

#!/bin/bash
# Copyright (c) Jupyter Development Team.
# Distributed under the terms of the Modified BSD License.

set -e

wrapper=""
if [[ "${RESTARTABLE}" == "yes" ]]; then
  wrapper="run-one-constantly"
fi

if [[ ! -z "${JUPYTERHUB_API_TOKEN}" ]]; then
  # launched by JupyterHub, use single-user entrypoint
  exec /usr/local/bin/start-singleuser.sh "$@"
elif [[ ! -z "${JUPYTER_ENABLE_LAB}" ]]; then
  . /usr/local/bin/start.sh $wrapper jupyter lab "$@"
else
  . /usr/local/bin/start.sh $wrapper jupyter notebook "$@"
fi

For example, to secure the Notebook server with a custom password hashed using IPython.lib.passwd() instead of the default token, you can run the following to test via docker:

#generate a password
from IPython.lib.security import passwd
passwd(passphrase=None, algorithm='sha1')


# run test in docker
docker run -d -p 8888:8888 jupyter/base-notebook start-notebook.sh --notebookApp.password='sha1:31246c00022b:cd4a5e1eac6b621284331642a27b621948d80a92'