Refining `server` scopes in role definitions

yannsartori · April 6, 2022, 5:11pm

Hello,

I was wondering how one could refine server scopes to exclude certain servers.

In my particular use case, I have a JupyterHub extension which allows users to publish dashboards as JupyterHub servers. However, in order to access these servers, users must have the access:server scope in the role. So I create the following role in my jupyterhub_config.py file:

c.JupyterHub.load_roles = [{
    'name': 'Dashboards',
    'description': 'Access Servers',
    'scopes': ['access:servers'],
    'groups': ['default']
}]

This works well, however one thing I noticed is that if user1 has their default server running, user2 can access it by going to BASE_URL/user/user1/lab (assuming user2 is in the default group). Obviously, this makes sense-- I gave user2 access to ALL servers. Hence, I would like to give the scope to access servers except for default servers. Is this possible?

I know that there exists horizontal filtering with !. It would be likewise, a good solution, if I can filter based on a regex (all the dashboard servers start with dash-, so if I could do:

'access:servers!server=dash-.*'

Or something similar, that would be cool.

manics · April 6, 2022, 6:45pm

Are you running the extension as an JupyterHub OAuth client? If so this might help: !service and !server filters by minrk · Pull Request #3851 · jupyterhub/jupyterhub · GitHub

yannsartori · April 6, 2022, 7:14pm

Thanks for the quick reply.

I think I am? I am not a hundred percent sure to be completely honest. The extension I am using is ContainDS Dashboards. When I try and start up a dashboard, I get the following splash:

which mentions OAuth.

minrk · April 7, 2022, 8:12am

This is not possible yet.

Currently (JupyterHub 2.2.2), you can grant access to:

single servers, names known ahead of time
all servers owned by a given user
all servers owned by users who are members of a given group

The linked PR mainly addresses the “names known ahead of time” part, where a user might have access to multiple servers, but upon accessing one of those servers, a token can be issued that only grants access to that service.

If you want to grant access to a subset of servers, I see two options: implement glob support in scopes as you proposed (might be tricky, not 100% sure), or alternately support a ‘tag’ metadata so that servers can have e.g. dashboard tag. This is how Google Cloud implements network access controls, for instance (accept traffic from instances with tag ‘access-service’).

The only way to workaround this right now is to explicitly grant access to every possible dashboard server one by one. This is probably not feasible! Especially because servers are per user, which means you need an entry for every user and every possible dashboard server name.

One thing I do want is to be able to define roles at runtime: Runtime / user-granted roles and scopes · Issue #3858 · jupyterhub/jupyterhub · GitHub . I hope to do that fairly soon.

yannsartori · April 11, 2022, 9:08pm

I see; thank you for the detailed response!

Topic		Replies	Views
Group-specific scopes for creating servers JupyterHub	1	225	February 12, 2024
How to actually use scopes JupyterHub	2	794	May 5, 2022
API request failed (403): Action is not authorized with current scopes; requires any of [delete:servers] JupyterHub	3	2151	February 4, 2023
How can I allow users to restart their own server? JupyterHub help-wanted	6	593	October 31, 2023
Requires any of [read:servers], not derived from scopes [] JupyterHub jupyterhub , how-to	1	1305	September 9, 2022

Refining `server` scopes in role definitions

Related topics