How to actually use scopes

Hey Guys,
at the moment I am writing my bachelor thesis, part of it is JupyterHub. In the docs they stated that RBAC is replacing full admin access - seems clear to me. My only question is: If I grant one account a ‘servers’ permission, how could this account actually use it? The admin panel is not visible because this account is not a “full admin”. The docs are not clear about that, my assumption is that you can use these rights only with the API, but can someone explain that to me? I can´t find an answer.
Greetings,
Tim

the docs are definitely confusing. you can specify roles and permissions in your jupyterhub_config.py, example:

c.JupyterHub.load_roles = [
    {
        'name': 'my-admin',
        'users': ['user1', 'user2'],
        'scopes': ['admin:users', 'admin:servers']
    },
    {
        "name": "jupyterhub-idle-culler-role", # see: https://github.com/jupyterhub/jupyterhub-idle-culler
        "scopes": [
            "list:users",
            "read:users:activity",
            "read:servers",
            "delete:servers",
        ],
        # assignment of role's permissions to:
        "services": ["jupyterhub-idle-culler-service"],
    }
]
2 Likes

All actions on JupyterHub are always done via the API, even if there happens to be UI for it on the few pages we do provide. Indeed, most benefit of reduced-scopes is seen with scripts that talk to the API directly.

Accessing the admin page (in 2.2) requires both admin:users and admin:servers permissions (meaning you have to have a lot of permissions to view the admin page). But we will soon switch to a dedicated admin-ui scope, separating permission to access to the UI from the various actions that can be taken on that page. So you can grant someone access to the page without their being able to take most (or even any!) of the actions on the page.

1 Like