My team has developed several JupyterHub services that should be available to all users. However, we want specific groups to have permissions to create servers while others should be restricted from doing so.
I have discovered that it is possible to raise an exception on the pre_spawn_start hook within the authenticator. However, I am wondering if it is possible to achieve this using scopes instead.
I would like to create two groups:
“unrestricted”: {user1, user2, user3} → Can access everything
“restricted”: {user4, user5, user6} → Can access everything except for creating new servers
Yes, you can customize the user role, which is assigned to all users. Grant this role the permissions you want all users to have. The default is self, i.e. ‘everything about myself’. You can also more precisely grant the servers!user scope, which means permission to start/stop your own server(s).
For example:
c.JupyterHub.load_roles = [
{
"name": "user",
"scopes": [
# minimal permissions: read information about yourself
"read:users!user",
],
},
{
"name": "default-user-permissions",
# default user permissions
"scopes": ["self"],
"groups": ["elevated-users"],
},
{
"name": "can-start-servers",
"scopes": [
# or more restricted,
# e.g. excluding token management, etc.
"read:users!user", # read about yourself
"users:activity", # update activity
"servers!user", # start/stop your own servers
"access:servers!user", # access your own servers
],
"groups": ["server-starting-users"],
},
]
users by default can’t do much. The elevated-users group can do what JupyterHub users can do by default, while the server-starting-users can start and use their servers, while still being more restricted than the default JupyterHub user permissions.