Make role_associations private again

jupyterhub/app.py

@@ -2342,7 +2342,7 @@ class JupyterHub(Application):
         if self.authenticator.reset_managed_roles_on_startup:
             for kind in kinds:
                 entity_name = kind[:-1]
-                association_class = orm.role_associations[entity_name]
+                association_class = orm._role_associations[entity_name]
                 deleted = (
                     db.query(association_class)
                     .filter(association_class.managed_by_auth == True)

jupyterhub/orm.py

@@ -163,7 +163,7 @@ class Server(Base):
 # lots of things have roles
 # mapping tables are the same for all of them
 
-role_associations = {}
+_role_associations = {}
 
 for entity in (
     'user',
@@ -186,7 +186,7 @@ for entity in (
         Column('managed_by_auth', Boolean, default=False),
     )
 
-    role_associations[entity] = type(
+    _role_associations[entity] = type(
         entity.title() + 'RoleMap', (Base,), {'__table__': table}
     )
 

jupyterhub/roles.py

@@ -268,7 +268,7 @@ def grant_role(db, entity, role, managed=False, commit=True):
         enitity_name = type(entity).__name__.lower()
         entity.roles.append(role)
         if managed:
-            association_class = orm.role_associations[enitity_name]
+            association_class = orm._role_associations[enitity_name]
             association = (
                 db.query(association_class)
                 .filter(

jupyterhub/tests/test_auth.py

@@ -761,7 +761,7 @@ async def test_auth_manage_roles_marks_new_assignment_as_managed(app, user, role
     with mock.patch.dict(app.tornado_settings, {"authenticator": authenticator}):
         await app.login_user(user.name)
         assert not app.db.dirty
-        UserRoleMap = orm.role_associations['user']
+        UserRoleMap = orm._role_associations['user']
         association = (
             app.db.query(UserRoleMap)
             .filter((UserRoleMap.role_id == role.id) & (UserRoleMap.user_id == user.id))