c.Authenticator.admin_users vs c.JupyterHub.load_roles in JupyterHub 2

fkapheris · March 10, 2022, 8:14am

I read about the new RBAC system but I’m not sure what the difference between the following config entries (jupyterhub_config.py) is and if they are even equivalent / both necessary / … ?

c.JupyterHub.load_roles = [
    {
        'name': 'server',
        'users': [ 'user1', 'user2' ],
    },
    {
        'name': 'admin',
        'users': [ 'user1', 'user2' ],
    }
]

and

c.Authenticator.admin_users = { 'user1', 'user2' }

(restarting the server is an action that I want to keep allowing the admins as it was part of our previous installation)

minrk · March 10, 2022, 9:12am

First, the quick one:

.admin_users is now an alias for assigning users to the admin role. Setting it is equivalent to assigning the users to the admin role:

c.JupyterHub.load_roles = [
    {
        'name': 'admin',
        'users': ["user1", "user2"],
    },
]

Second,

No, this does not set any roles. Roles cannot contain other roles. If you want to assign a single set of users multiple sets of permissions, you can assign them to multiple roles:

users = ["user1", "user2"]

c.JupyterHub.load_roles = [
    {
        'name': 'server-rights',
        'description': 'Start/stop permissions on all servers',
        'scopes': ['servers'],
        'users': users,
    },
    {
        'name': 'admin',
        'users': users,
    }
]

But what I would really recommend is to take the opportunity to define the actual permissions you want users to have, and pick them specifically. The admin role is no longer necessary for anyone, but it is a shortcut to say “these users can do everything.” It is recommended to only grant permissions they should actually have.

If all they need is permission to start/stop servers, then the servers permission is all they need. However, if they are doing it via the admin ui, they need access to that, too. Currently, that requires admin:users and admin:servers scopes, but we are considering changes to that.

fkapheris · March 10, 2022, 9:48am

Thank you very much, your answer was so so quick and exactly what I needed to know.

Topic		Replies	Views
Adding several admin users on-the-fly JupyterHub jupyterhub	1	676	December 7, 2021
I hope to be able to dynamically configure load_roles in jupyterhub through api Zero to JupyterHub on Kubernetes how-to , help-wanted	2	361	September 21, 2023
Create a new user and an admin JupyterHub community , jupyterhub , how-to , help-wanted	1	1515	June 22, 2023
Can not get admin UI in JupyterHub 2.2.0 JupyterHub	5	2057	April 5, 2022
Groups and Roles JupyterHub how-to	0	590	March 16, 2023

c.Authenticator.admin_users vs c.JupyterHub.load_roles in JupyterHub 2

Related topics