I was wondering how one could refine server scopes to exclude certain servers.
In my particular use case, I have a JupyterHub extension which allows users to publish dashboards as JupyterHub servers. However, in order to access these servers, users must have the access:server scope in the role. So I create the following role in my jupyterhub_config.py file:
This works well, however one thing I noticed is that if user1 has their default server running, user2 can access it by going to BASE_URL/user/user1/lab (assuming user2 is in the default group). Obviously, this makes sense-- I gave user2 access to ALL servers. Hence, I would like to give the scope to access servers except for default servers. Is this possible?
I know that there exists horizontal filtering with !. It would be likewise, a good solution, if I can filter based on a regex (all the dashboard servers start with dash-, so if I could do:
I think I am? I am not a hundred percent sure to be completely honest. The extension I am using is ContainDS Dashboards. When I try and start up a dashboard, I get the following splash:
Currently (JupyterHub 2.2.2), you can grant access to:
single servers, names known ahead of time
all servers owned by a given user
all servers owned by users who are members of a given group
The linked PR mainly addresses the “names known ahead of time” part, where a user might have access to multiple servers, but upon accessing one of those servers, a token can be issued that only grants access to that service.
If you want to grant access to a subset of servers, I see two options: implement glob support in scopes as you proposed (might be tricky, not 100% sure), or alternately support a ‘tag’ metadata so that servers can have e.g. dashboard tag. This is how Google Cloud implements network access controls, for instance (accept traffic from instances with tag ‘access-service’).
The only way to workaround this right now is to explicitly grant access to every possible dashboard server one by one. This is probably not feasible! Especially because servers are per user, which means you need an entry for every user and every possible dashboard server name.