hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-15 05:53:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3169 from IvanaH8/yaml-adding-scopes

Browse Source 
First step for implementing oauth scopes - update to rest-api.yml
This commit is contained in:
Min RK
2020-11-20 08:59:48 +01:00
committed by GitHub
parent e019a33509 18ed1b58cc
commit 31a99b5b2c
1 changed files with 160 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
docs/rest-api.yml
View File

@@ -13,8 +13,40 @@ securityDefinitions:
type: apiKey type: apiKey
name: Authorization name: Authorization
in: header in: header
security: oauth2:
type: oauth2
flow: accessCode
authorizationUrl: '/hub/api/oauth2/authorize' # what are the absolute URIs here? is oauth2 correct here or shall we use just authorizations?
tokenUrl: '/hub/api/oauth2/token'
scopes:
all: Everything a user can do
read:all: Read-only access to everything a user can read (also whoami handler)
users: Grants access to managing users including reading users model, posting activity and starting/stoping users servers
read:users: Read-only access to the above
read:users!user=username: Read-only access to a single user's model
read:users:names: Read-only access to users' names
read:users:groups: Read-only access to users' groups
read:users:activity: Read-only access to users' activity
read:users:activity!group=groupname: Read-only access to specific group's users' activity
read:users:servers: Read-only access to users' servers
users:activity!user=username: Update a user's activity
users:servers: Grants access to start/stop any server
users:servers!server=servername: Limits the above to a specific server
users:tokens: Grants access to users' token (includes create/revoke a token)
read:users:tokens: Identify a user from a token
admin:users: Grants access to creating/removing users
admin:users:servers: Grants access to create/remove users' servers
groups: Add/remove users from any group
groups!group=groupname: Add/remove users from a specific group only
read:groups: Read-only access to groups
admin:groups: Grants access to create/delete groups
read:services: Read-only access to services
proxy: Grants access to proxy's routing table, syncing and notifying about a new proxy
shutdown: Grants access to shutdown the Hub
security: # global security, do we want to keep only the apiKey (token: []), change to only oauth2 (with scope all) or have both (either can be used)?
- token: [] - token: []
- oauth2:
- all
basePath: /hub/api basePath: /hub/api
produces: produces:
- application/json - application/json
@@ -79,6 +111,10 @@ paths:
/users: /users:
get: get:
summary: List users summary: List users
security:
- oauth2:
- users
- read:users
responses: responses:
'200': '200':
description: The Hub's user list description: The Hub's user list
@@ -88,6 +124,9 @@ paths:
$ref: '#/definitions/User' $ref: '#/definitions/User'
post: post:
summary: Create multiple users summary: Create multiple users
security:
- oauth2:
- admin:users
parameters: parameters:
- name: body - name: body
in: body in: body
@@ -114,6 +153,11 @@ paths:
/users/{name}: /users/{name}:
get: get:
summary: Get a user by name summary: Get a user by name
security:
- oauth2:
- users
- read:users
- read:users!user=username
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -127,6 +171,9 @@ paths:
$ref: '#/definitions/User' $ref: '#/definitions/User'
post: post:
summary: Create a single user summary: Create a single user
security:
- oauth2:
- admin:users
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -141,6 +188,9 @@ paths:
patch: patch:
summary: Modify a user summary: Modify a user
description: Change a user's name or admin status description: Change a user's name or admin status
security:
- oauth2:
- users
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -167,6 +217,9 @@ paths:
$ref: '#/definitions/User' $ref: '#/definitions/User'
delete: delete:
summary: Delete a user summary: Delete a user
security:
- oauth2:
- admin:users
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -184,6 +237,10 @@ paths:
Notify the Hub of activity by the user, Notify the Hub of activity by the user,
e.g. accessing a service or (more likely) e.g. accessing a service or (more likely)
actively using a server. actively using a server.
security:
- oauth2:
- users
- users:activity!user=username
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -236,6 +293,10 @@ paths:
/users/{name}/server: /users/{name}/server:
post: post:
summary: Start a user's single-user notebook server summary: Start a user's single-user notebook server
security:
- oauth2:
- users
- users:servers
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -262,6 +323,10 @@ paths:
description: The user's notebook server has not yet started, but has been requested description: The user's notebook server has not yet started, but has been requested
delete: delete:
summary: Stop a user's server summary: Stop a user's server
security:
- oauth2:
- users
- users:servers
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -276,6 +341,11 @@ paths:
/users/{name}/servers/{server_name}: /users/{name}/servers/{server_name}:
post: post:
summary: Start a user's single-user named-server notebook server summary: Start a user's single-user named-server notebook server
security:
- oauth2:
- users
- users:servers
- users:servers!server=servername
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -307,6 +377,11 @@ paths:
description: The user's notebook named-server has not yet started, but has been requested description: The user's notebook named-server has not yet started, but has been requested
delete: delete:
summary: Stop a user's named-server summary: Stop a user's named-server
security:
- oauth2:
- users
- users:servers
- users:servers!server=servername
parameters: parameters:
- name: name - name: name
description: username description: username
@@ -344,6 +419,9 @@ paths:
type: string type: string
get: get:
summary: List tokens for the user summary: List tokens for the user
security:
- oauth2:
- users:tokens
responses: responses:
'200': '200':
description: The list of tokens description: The list of tokens
@@ -357,6 +435,9 @@ paths:
description: No such user description: No such user
post: post:
summary: Create a new token for the user summary: Create a new token for the user
security:
- oauth2:
- users:tokens
parameters: parameters:
- name: token_params - name: token_params
in: body in: body
@@ -370,6 +451,9 @@ paths:
note: note:
type: string type: string
description: A note attached to the token for future bookkeeping description: A note attached to the token for future bookkeeping
roles:
type: list
description: A list of role names that the token should have
responses: responses:
'201': '201':
description: The newly created token description: The newly created token
@@ -377,6 +461,8 @@ paths:
$ref: '#/definitions/Token' $ref: '#/definitions/Token'
'400': '400':
description: Body must be a JSON dict or empty description: Body must be a JSON dict or empty
'403':
description: Requested role does not exist
/users/{name}/tokens/{token_id}: /users/{name}/tokens/{token_id}:
parameters: parameters:
- name: name - name: name
@@ -390,6 +476,9 @@ paths:
type: string type: string
get: get:
summary: Get the model for a token by id summary: Get the model for a token by id
security:
- oauth2:
- users:tokens
responses: responses:
'200': '200':
description: The info for the new token description: The info for the new token
@@ -397,12 +486,19 @@ paths:
$ref: '#/definitions/Token' $ref: '#/definitions/Token'
delete: delete:
summary: Delete (revoke) a token by id summary: Delete (revoke) a token by id
security:
- oauth2:
- users:tokens
responses: responses:
'204': '204':
description: The token has been deleted description: The token has been deleted
/user: /user:
get: get:
summary: Return authenticated user's model summary: Return authenticated user's model
security:
- oauth2:
- all
- read:all
responses: responses:
'200': '200':
description: The authenticated user's model is returned. description: The authenticated user's model is returned.
@@ -411,6 +507,10 @@ paths:
/groups: /groups:
get: get:
summary: List groups summary: List groups
security:
- oauth2:
- groups
- read:groups
responses: responses:
'200': '200':
description: The list of groups description: The list of groups
@@ -421,6 +521,11 @@ paths:
/groups/{name}: /groups/{name}:
get: get:
summary: Get a group by name summary: Get a group by name
security:
- oauth2:
- groups
- groups!group=groupname
- read:groups
parameters: parameters:
- name: name - name: name
description: group name description: group name
@@ -434,6 +539,9 @@ paths:
$ref: '#/definitions/Group' $ref: '#/definitions/Group'
post: post:
summary: Create a group summary: Create a group
security:
- oauth2:
- admin:groups
parameters: parameters:
- name: name - name: name
description: group name description: group name
@@ -447,6 +555,9 @@ paths:
$ref: '#/definitions/Group' $ref: '#/definitions/Group'
delete: delete:
summary: Delete a group summary: Delete a group
security:
- oauth2:
- admin:groups
parameters: parameters:
- name: name - name: name
description: group name description: group name
@@ -459,6 +570,10 @@ paths:
/groups/{name}/users: /groups/{name}/users:
post: post:
summary: Add users to a group summary: Add users to a group
security:
- oauth2:
- groups
- groups!group=groupname
parameters: parameters:
- name: name - name: name
description: group name description: group name
@@ -484,6 +599,10 @@ paths:
$ref: '#/definitions/Group' $ref: '#/definitions/Group'
delete: delete:
summary: Remove users from a group summary: Remove users from a group
security:
- oauth2:
- groups
- groups!group=groupname
parameters: parameters:
- name: name - name: name
description: group name description: group name
@@ -508,6 +627,9 @@ paths:
/services: /services:
get: get:
summary: List services summary: List services
security:
- oauth2:
- read:services
responses: responses:
'200': '200':
description: The service list description: The service list
@@ -518,6 +640,9 @@ paths:
/services/{name}: /services/{name}:
get: get:
summary: Get a service by name summary: Get a service by name
security:
- oauth2:
- read:services
parameters: parameters:
- name: name - name: name
description: service name description: service name
@@ -533,6 +658,9 @@ paths:
get: get:
summary: Get the proxy's routing table summary: Get the proxy's routing table
description: A convenience alias for getting the routing table directly from the proxy description: A convenience alias for getting the routing table directly from the proxy
security:
- oauth2:
- proxy
responses: responses:
'200': '200':
description: Routing table description: Routing table
@@ -541,12 +669,18 @@ paths:
description: configurable-http-proxy routing table (see configurable-http-proxy docs for details) description: configurable-http-proxy routing table (see configurable-http-proxy docs for details)
post: post:
summary: Force the Hub to sync with the proxy summary: Force the Hub to sync with the proxy
security:
- oauth2:
- proxy
responses: responses:
'200': '200':
description: Success description: Success
patch: patch:
summary: Notify the Hub about a new proxy summary: Notify the Hub about a new proxy
description: Notifies the Hub of a new proxy to use. description: Notifies the Hub of a new proxy to use.
security:
- oauth2:
- proxy
parameters: parameters:
- name: body - name: body
in: body in: body
@@ -579,6 +713,9 @@ paths:
in the JSON request body. in the JSON request body.
Logging in via this method is only available when the active Authenticator Logging in via this method is only available when the active Authenticator
accepts passwords (e.g. not OAuth). accepts passwords (e.g. not OAuth).
security:
- oauth2:
- users:tokens # minrk: this is a deprecated alias to POST /users/{name}/tokens, either remove it or use the same scope
parameters: parameters:
- name: credentials - name: credentials
in: body in: body
@@ -603,6 +740,9 @@ paths:
/authorizations/token/{token}: /authorizations/token/{token}:
get: get:
summary: Identify a user or service from an API token summary: Identify a user or service from an API token
security:
- oauth2:
- read:users:tokens # minrk: is it really necessary to have a scope for this, or use self handler for token whoami?
parameters: parameters:
- name: token - name: token
in: path in: path
@@ -633,6 +773,7 @@ paths:
$ref: '#/definitions/User' $ref: '#/definitions/User'
'404': '404':
description: A user is not found. description: A user is not found.
deprecated: true # minrk: lets not add a scope for this, lets remove it
/oauth2/authorize: /oauth2/authorize:
get: get:
summary: 'OAuth 2.0 authorize endpoint' summary: 'OAuth 2.0 authorize endpoint'
@@ -714,6 +855,9 @@ paths:
/shutdown: /shutdown:
post: post:
summary: Shutdown the Hub summary: Shutdown the Hub
security:
- oauth2:
- shutdown
parameters: parameters:
- name: body - name: body
in: body in: body
@@ -747,6 +891,11 @@ definitions:
admin: admin:
type: boolean type: boolean
description: Whether the user is an admin description: Whether the user is an admin
roles:
type: array
description: The names of roles this user has
items:
type: string
groups: groups:
type: array type: array
description: The names of groups where this user is a member description: The names of groups where this user is a member
@@ -828,6 +977,11 @@ definitions:
admin: admin:
type: boolean type: boolean
description: Whether the service is an admin description: Whether the service is an admin
roles:
type: array
description: The names of roles this service has
items:
type: string
url: url:
type: string type: string
description: The internal url where the service is running description: The internal url where the service is running
@@ -862,6 +1016,11 @@ definitions:
service: service:
type: string type: string
description: The service that owns the token (undefined of owned by a user) description: The service that owns the token (undefined of owned by a user)
roles:
type: array
description: The names of roles this token has
items:
type: string
note: note:
type: string type: string
description: A note about the token, typically describing what it was created for. description: A note about the token, typically describing what it was created for.