jupyterhub-singleuser as a Jupyter Server 2.0 extension

mostly a copy (fork) of singleuser app using public APIs instead of lots of patching. opt-in via `JUPYTERHUB_SINGLEUSER_EXTENSION=1` related changes: - stop running a test single-user server in a thread. It's complicated and fragile. Instead, run it normally, and get the info we need from a custom handler registered via an extension via the `full_spawn` fixture
2025-10-16 22:43:00 +00:00 · 2022-12-21 12:28:37 +01:00
parent 63f164ca53
commit 58dccdb59b
17 changed files with 1068 additions and 141 deletions
--- a/examples/read-only/jupyterhub_config.py
+++ b/examples/read-only/jupyterhub_config.py
@@ -0,0 +1,95 @@
+c = get_config()  # noqa
+
+# define custom scopes so they can be assigned to users
+# these could be
+
+c.JupyterHub.custom_scopes = {
+    "custom:jupyter_server:read:*": {
+        "description": "read-only access to your server",
+    },
+    "custom:jupyter_server:write:*": {
+        "description": "access to modify files on your server. Does not include execution.",
+        "subscopes": ["custom:jupyter_server:read:*"],
+    },
+    "custom:jupyter_server:execute:*": {
+        "description": "Execute permissions on servers.",
+        "subscopes": [
+            "custom:jupyter_server:write:*",
+            "custom:jupyter_server:read:*",
+        ],
+    },
+}
+
+c.JupyterHub.load_roles = [
+    # grant specific users read-only access to all servers
+    {
+        "name": "read-only-all",
+        "scopes": [
+            "access:servers",
+            "custom:jupyter_server:read:*",
+        ],
+        "groups": ["read-only"],
+    },
+    {
+        "name": "read-only-read-only-percy",
+        "scopes": [
+            "access:servers!user=percy",
+            "custom:jupyter_server:read:*!user=percy",
+        ],
+        "users": ["vex"],
+    },
+    {
+        "name": "admin-ui",
+        "scopes": [
+            "admin-ui",
+            "list:users",
+            "admin:servers",
+        ],
+        "users": ["admin"],
+    },
+    {
+        "name": "full-access",
+        "scopes": [
+            "access:servers",
+            "custom:jupyter_server:execute:*",
+        ],
+        "users": ["minrk"],
+    },
+    # all users have full access to their own servers
+    {
+        "name": "user",
+        "scopes": [
+            "custom:jupyter_server:execute:*!user",
+            "custom:jupyter_server:read:*!user",
+            "self",
+        ],
+    },
+]
+
+# servers request access to themselves
+
+c.Spawner.oauth_client_allowed_scopes = [
+    "access:servers!server",
+    "custom:jupyter_server:read:*!server",
+    "custom:jupyter_server:execute:*!server",
+]
+
+# enable the jupyter-server extension
+c.Spawner.environment = {
+    "JUPYTERHUB_SINGLEUSER_EXTENSION": "1",
+}
+
+from pathlib import Path
+
+here = Path(__file__).parent.resolve()
+
+# load the server config that enables granular permissions
+c.Spawner.args = [
+    f"--config={here}/jupyter_server_config.py",
+]
+
+
+# example boilerplate: dummy auth/spawner
+c.JupyterHub.authenticator_class = 'dummy'
+c.JupyterHub.spawner_class = 'simple'
+c.JupyterHub.ip = '127.0.0.1'