Role and scope doesn't seem to be taking effect

adpatter · August 15, 2022, 3:33pm

When I try to call the hub/api/info end point using my user’s API token, the logs show:

[D 2022-08-15 15:29:32.822 JupyterHub scopes:301] Authenticated with token <APIToken('0RWN...', user='adpatter', client_id='jupyterhub-user-adpatter')>
[D 2022-08-15 15:29:32.823 JupyterHub scopes:491] Checking access via scope read:hub
[D 2022-08-15 15:29:32.823 JupyterHub scopes:386] No access to /hub/api/info via read:hub
[W 2022-08-15 15:29:32.824 JupyterHub scopes:499] Not authorizing access to /hub/api/info. Requires any of [read:hub], not derived from scopes [access:servers!server=adpatter/]
[W 2022-08-15 15:29:32.824 JupyterHub web:1796] 403 GET /hub/api/info (10.0.19.181): Action is not authorized with current scopes; requires any of [read:hub]
[W 2022-08-15 15:29:32.825 JupyterHub log:189] 403 GET /hub/api/info (adpatter@10.0.19.181) 13.53ms

However, I have my roles configured like this:

c.JupyterHub.load_roles = [
    {
        'name': SERVICE_NAME,
        'groups': [SERVICE_NAME],
        'services': [SERVICE_NAME],
        'scopes': ['read:hub', f'access:services!service={SERVICE_NAME}']
    },
    {
        'name': 'user_role',
        'users': ['adpatter'],
        'scopes': ['read:hub']
    }
]

It is my understanding that the read:hub scope should permit reading from the API endpoint.

Does anyone have any ideas for why this isn’t working?

Thank you.

adpatter · August 15, 2022, 3:52pm

When I look at /hub/api/user for adpatter, I see this:

{'admin': True, 'groups': ['shared-notebook'], 'name': 'adpatter', 'kind': 'user', 'session_id': '4200c8c742f042efabae1b571941da15', 'scopes': ['access:services!service=shared-notebook']}

adpatter is a member of the SERVICE_NAME group; however, it appears that the user only got one of the assigned scopes. It’s not clear to me why this is happening.

manics · August 15, 2022, 8:31pm

Are you using the token from the JUPYTERHUB_API_TOKEN environment variable in a singleuser server, or are you creating a new one (Understanding token scope difference)?

minrk · August 18, 2022, 7:07am

I think what you want to set is the service.oauth_roles (more finely tuned as service.oauth_client_allowed_scopes in jupyterhub 3.0). This designates the permissions of the oauth tokens issued by the service. These are the tokens a user uses to talk to services, and represent the actions a service is allowed to take on an authenticated user’s behalf. The default is to only allow talking to the service itself.

Topic		Replies	Views
API request failed (403): Action is not authorized with current scopes; requires any of [delete:servers] JupyterHub	3	2162	February 4, 2023
Requires any of [read:servers], not derived from scopes [] JupyterHub jupyterhub , how-to	1	1307	September 9, 2022
How to actually use scopes JupyterHub	2	801	May 5, 2022
Add scopes to `JUPYTERHUB_API_TOKEN` through Helm chart values Zero to JupyterHub on Kubernetes	6	775	March 22, 2023
Can not get admin UI in JupyterHub 2.2.0 JupyterHub	5	2048	April 5, 2022

Role and scope doesn't seem to be taking effect

Related topics