I’m testing the new RBAC features and noticed interesting discrepancy in how different tokens are scoped.
For some reason, there are different scopes assigned to user token in JUPYTERHUB_API_TOKEN singleuser server env variable vs. the token manually requested from JupyterHub UI at /hub/token.
I use ‘simple’ spawner and ‘dummy’ authenticator.
To check the difference, I run GET request on JUPYTERHUB_API_URL/user
In case of the token assigned to env variable I only get the minimal scope required to access my own servers, read my user and my own activity:
'scopes': [
'access:servers!user=ktaletsk',
'read:users:activity!user=ktaletsk',
'users:activity!user=ktaletsk'
]
In case of token requested in UI I get the full scope as configured in my config file:
'scopes': [
'access:servers!user=ktaletsk',
'groups!group=server_sharing_ktaletsk',
'read:groups!group=server_sharing_ktaletsk',
'read:groups:name!group=server_sharing_ktaletsk',
'read:servers!user=ktaletsk',
'read:tokens!user=ktaletsk',
'read:users!user=ktaletsk',
'read:users:activity!user=ktaletsk',
'read:users:groups!user=ktaletsk',
'read:users:name!user=ktaletsk',
'servers!user=ktaletsk',
'tokens!user=ktaletsk',
'users!user=ktaletsk',
'users:activity!user=ktaletsk'
]
I am trying to understand why is there a difference, and how would I automatically set the JUPYTERHUB_API_TOKEN with the “full” scoped token?