Hello!
I am working toward a z2jh instance that manages and launches RTC-enabled JupyterLab pods, adapting the typical tutorial.
In order to not have to restart I am integrating the necessary management into my already-existing custom authenticator via authenticator-managed roles, groups, etc rather than code in the helm config like the tutorial.
Nearly everything is working as planned. Upon auth:
- Actual user is being created
- “Collaboration” users for that user’s associated projects are being created
- Groups are being created (both for each project and "collaborative’ group)
- Actual users are being added to groups
- “Collaboration” users are being added to the collaborative group
- Even the RTC websockets are working with the same notebook open by the same user in 2 browser windows
The last thing remaining is having the member users of a group able to spawn and open the “collaborative” user’s pod.
When redirecting the authenticated non-admin user to the spawn url associated with the respective collaboration group, I’m receiving a 404. When spawning the same pod via admin, then trying to access the Lab instance directly with the non-admin, I get a permission denied error.
Clearly the roles I’m building are not taking. Can anyone provide guidance here as to e.g., whether the role syntax is different when approaching in this manner?
Scrubbed code follows:
# API calls for authentication, admin status, and grabbing a json list of projects happens above
groups = []
roles = []
# Create projects as collaborative groups
for project in projects_json_response['items']:
project_name = project['uuid']
# create a JupyterHub user for each collaboration and assign the collaboration user to the collaboration group
collab_username = f"{project_name}-collab"
collab_user = await self.auth_to_user({'name': collab_username, 'admin': False, 'groups': ['collaborative']})
# create a role granting access to the collaboration user’s account
roles.append({
"name": f"collab-access-{project_name}",
"scopes": [
f"access:servers!user={collab_username}",
f"admin:servers!user={collab_username}",
"admin-ui",
f"list:users!user={collab_username}",
],
"groups": [project_name],
})
# create a group for each collaboration
groups.append(project_name)
# assign the group to the role, so it has access to the account
# assign members of the project to the collaboration group, so they have access to the project
user = await self.auth_to_user({'name': username, 'admin': admin, 'groups': groups, 'roles': roles})
self.set_login_cookie(user)
# For non-admins, skip the home screen and redirect the user to spawn the collaboration notebook
if not admin:
_url=url_path_join(self.hub.server.base_url, '/spawn/', project_param_content, '-collab')
self.redirect(_url)