@@ -590,15 +590,33 @@ jupyterhub:
590590 matchLabels :
591591 app.kubernetes.io/component : traefik
592592 hub :
593- loadRoles :
594- # Should use this, not hub.config.JupyterHub.load_roles - that will
595- # override any existing load_roles set by z2jh
596- service-use :
597- name : user
598- scopes :
599- # Allow all users access to 'services', which includes dask-gateway & configurator
600- - access:services
601- - self
593+ # hub.loadRoles is z2jh native config to enable configuration of
594+ # c.JupyterHub.load_roles without overriding a list - use it instead of the
595+ # passthrough config hub.config.JupyterHub.load_roles.
596+ #
597+ # - About jupyterhub-configurator service access
598+ #
599+ # The JupyterHub admin users get the scope access:services by being
600+ # admins, which includes the scope access:services!service=configurator.
601+ # This makes them not need additional scope requests to work with
602+ # jupyterhub-configurator that also require users to be admins anyhow.
603+ #
604+ # ref: https://github.com/yuvipanda/jupyterhub-configurator/blob/f46fb4e81b1de74c4fcaa5a7763fb230265bab90/jupyterhub_configurator/app.py#L100-L109
605+ #
606+ # - About dask-gateway service access
607+ #
608+ # Providing access:services!service=dask-gateway has no effect, as
609+ # dask-gateway the client passes the jupyterhub user's jupyterhub api
610+ # token to the dask-gateway-server, which then just verifies that the api
611+ # token is associated with an actual user. Due to that, we can't limit
612+ # access to dask-gateway by providing that scope only to some users.
613+ #
614+ # ref: https://github.com/dask/dask-gateway/issues/829
615+ #
616+ # loadRoles ref (z2jh): https://z2jh.jupyter.org/en/stable/resources/reference.html#hub-loadroles
617+ # load_roles ref (jh): https://jupyterhub.readthedocs.io/en/stable/rbac/roles.html#defining-roles
618+ #
619+ loadRoles : {}
602620 config :
603621 JupyterHub :
604622 # Allow unauthenticated prometheus requests
0 commit comments