From 379198053ae5037dff37f8adfd07e2e03610d37b Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 7 May 2024 10:29:42 +0200 Subject: [PATCH 1/3] basehub: reduce hub.loadRoles and clarify the situation --- helm-charts/basehub/values.yaml | 40 +++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index efa8476941..8866e2bb48 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -597,15 +597,37 @@ jupyterhub: matchLabels: app.kubernetes.io/component: traefik hub: - loadRoles: - # Should use this, not hub.config.JupyterHub.load_roles - that will - # override any existing load_roles set by z2jh - service-use: - name: user - scopes: - # Allow all users access to 'services', which includes dask-gateway & configurator - - access:services - - self + # hub.loadRoles is z2jh native config to enable configuration of + # c.JupyterHub.load_roles without overriding a list - use it instead of the + # passthrough config hub.config.JupyterHub.load_roles. + # + # - About jupyterhub-configurator service access + # + # The JupyterHub admin users get the scope access:services by being + # admins, which includes the scope access:services!service=configurator. + # This makes them not need additional scope requests to work with + # jupyterhub-configurator that also require users to be admins anyhow. + # + # ref: https://github.com/yuvipanda/jupyterhub-configurator/blob/f46fb4e81b1de74c4fcaa5a7763fb230265bab90/jupyterhub_configurator/app.py#L100-L109 + # + # - About dask-gateway service access + # + # Providing access:services!service=dask-gateway has no effect, as + # dask-gateway the client passes the jupyterhub user's jupyterhub api + # token to the dask-gateway-server, which then just verifies that the api + # token is associated with an actual user using the api token itself. Due + # to that, we can't limit access to dask-gateway by providing that scope + # only to some users. + # + # Considerations of updating dask-gateway to gate access via + # access:services!service=dask-gateway is considered in the linked issue. + # + # ref: https://github.com/dask/dask-gateway/issues/829 + # + # loadRoles ref (z2jh): https://z2jh.jupyter.org/en/stable/resources/reference.html#hub-loadroles + # load_roles ref (jh): https://jupyterhub.readthedocs.io/en/stable/rbac/roles.html#defining-roles + # + loadRoles: {} config: JupyterHub: # Allow unauthenticated prometheus requests From 7327486f093b9c79451d1fe5b6fea930ab012be1 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 8 May 2024 08:49:23 +0200 Subject: [PATCH 2/3] basehub: remove configurator / dask-gateway notes on loadRoles --- helm-charts/basehub/values.yaml | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 8866e2bb48..e21a740c39 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -601,29 +601,6 @@ jupyterhub: # c.JupyterHub.load_roles without overriding a list - use it instead of the # passthrough config hub.config.JupyterHub.load_roles. # - # - About jupyterhub-configurator service access - # - # The JupyterHub admin users get the scope access:services by being - # admins, which includes the scope access:services!service=configurator. - # This makes them not need additional scope requests to work with - # jupyterhub-configurator that also require users to be admins anyhow. - # - # ref: https://github.com/yuvipanda/jupyterhub-configurator/blob/f46fb4e81b1de74c4fcaa5a7763fb230265bab90/jupyterhub_configurator/app.py#L100-L109 - # - # - About dask-gateway service access - # - # Providing access:services!service=dask-gateway has no effect, as - # dask-gateway the client passes the jupyterhub user's jupyterhub api - # token to the dask-gateway-server, which then just verifies that the api - # token is associated with an actual user using the api token itself. Due - # to that, we can't limit access to dask-gateway by providing that scope - # only to some users. - # - # Considerations of updating dask-gateway to gate access via - # access:services!service=dask-gateway is considered in the linked issue. - # - # ref: https://github.com/dask/dask-gateway/issues/829 - # # loadRoles ref (z2jh): https://z2jh.jupyter.org/en/stable/resources/reference.html#hub-loadroles # load_roles ref (jh): https://jupyterhub.readthedocs.io/en/stable/rbac/roles.html#defining-roles # From 7c717b1cbd4b3d7536d10bc08397f132ccf1c361 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 8 May 2024 08:49:39 +0200 Subject: [PATCH 3/3] basehub: remove hub.loadRoles entirely --- helm-charts/basehub/values.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index e21a740c39..6b152ca148 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -597,14 +597,6 @@ jupyterhub: matchLabels: app.kubernetes.io/component: traefik hub: - # hub.loadRoles is z2jh native config to enable configuration of - # c.JupyterHub.load_roles without overriding a list - use it instead of the - # passthrough config hub.config.JupyterHub.load_roles. - # - # loadRoles ref (z2jh): https://z2jh.jupyter.org/en/stable/resources/reference.html#hub-loadroles - # load_roles ref (jh): https://jupyterhub.readthedocs.io/en/stable/rbac/roles.html#defining-roles - # - loadRoles: {} config: JupyterHub: # Allow unauthenticated prometheus requests