Refining `server` scopes in role definitions

Hello,

I was wondering how one could refine server scopes to exclude certain servers.

In my particular use case, I have a JupyterHub extension which allows users to publish dashboards as JupyterHub servers. However, in order to access these servers, users must have the access:server scope in the role. So I create the following role in my jupyterhub_config.py file:

c.JupyterHub.load_roles = [{
    'name': 'Dashboards',
    'description': 'Access Servers',
    'scopes': ['access:servers'],
    'groups': ['default']
}]

This works well, however one thing I noticed is that if user1 has their default server running, user2 can access it by going to BASE_URL/user/user1/lab (assuming user2 is in the default group). Obviously, this makes sense-- I gave user2 access to ALL servers. Hence, I would like to give the scope to access servers except for default servers. Is this possible?

I know that there exists horizontal filtering with !. It would be likewise, a good solution, if I can filter based on a regex (all the dashboard servers start with dash-, so if I could do:

'access:servers!server=dash-.*'

Or something similar, that would be cool.

1 Like

Are you running the extension as an JupyterHub OAuth client? If so this might help: !service and !server filters by minrk · Pull Request #3851 · jupyterhub/jupyterhub · GitHub

Thanks for the quick reply.

I think I am? I am not a hundred percent sure to be completely honest. The extension I am using is ContainDS Dashboards. When I try and start up a dashboard, I get the following splash:


which mentions OAuth.

This is not possible yet.

Currently (JupyterHub 2.2.2), you can grant access to:

  • single servers, names known ahead of time
  • all servers owned by a given user
  • all servers owned by users who are members of a given group

The linked PR mainly addresses the “names known ahead of time” part, where a user might have access to multiple servers, but upon accessing one of those servers, a token can be issued that only grants access to that service.

If you want to grant access to a subset of servers, I see two options: implement glob support in scopes as you proposed (might be tricky, not 100% sure), or alternately support a ‘tag’ metadata so that servers can have e.g. dashboard tag. This is how Google Cloud implements network access controls, for instance (accept traffic from instances with tag ‘access-service’).

The only way to workaround this right now is to explicitly grant access to every possible dashboard server one by one. This is probably not feasible! Especially because servers are per user, which means you need an entry for every user and every possible dashboard server name.

One thing I do want is to be able to define roles at runtime: Runtime / user-granted roles and scopes · Issue #3858 · jupyterhub/jupyterhub · GitHub . I hope to do that fairly soon.

2 Likes

I see; thank you for the detailed response!