c.Authenticator.admin_users vs c.JupyterHub.load_roles in JupyterHub 2

I read about the new RBAC system but I’m not sure what the difference between the following config entries (jupyterhub_config.py) is and if they are even equivalent / both necessary / … ?

c.JupyterHub.load_roles = [
    {
        'name': 'server',
        'users': [ 'user1', 'user2' ],
    },
    {
        'name': 'admin',
        'users': [ 'user1', 'user2' ],
    }
]

and

c.Authenticator.admin_users = { 'user1', 'user2' }

(restarting the server is an action that I want to keep allowing the admins as it was part of our previous installation)

First, the quick one:

.admin_users is now an alias for assigning users to the admin role. Setting it is equivalent to assigning the users to the admin role:

c.JupyterHub.load_roles = [
    {
        'name': 'admin',
        'users': ["user1", "user2"],
    },
]

Second,

No, this does not set any roles. Roles cannot contain other roles. If you want to assign a single set of users multiple sets of permissions, you can assign them to multiple roles:

users = ["user1", "user2"]

c.JupyterHub.load_roles = [
    {
        'name': 'server-rights',
        'description': 'Start/stop permissions on all servers',
        'scopes': ['servers'],
        'users': users,
    },
    {
        'name': 'admin',
        'users': users,
    }
]

But what I would really recommend is to take the opportunity to define the actual permissions you want users to have, and pick them specifically. The admin role is no longer necessary for anyone, but it is a shortcut to say “these users can do everything.” It is recommended to only grant permissions they should actually have.

If all they need is permission to start/stop servers, then the servers permission is all they need. However, if they are doing it via the admin ui, they need access to that, too. Currently, that requires admin:users and admin:servers scopes, but we are considering changes to that.

1 Like

Thank you very much, your answer was so so quick and exactly what I needed to know.