Add scope

2025-10-07 10:04:07 +00:00 · 2023-03-01 14:22:05 +01:00
parent e515a4b820
commit 7dd4e4516f
8 changed files with 18 additions and 12 deletions
--- a/docs/source/_static/rest-api.yml
+++ b/docs/source/_static/rest-api.yml
@@ -1498,6 +1498,9 @@ components:
            read:groups: Read group models.
            read:groups:name: Read group names.
            delete:groups: Delete groups.
+            admin:services:
+              Create, read, update, delete services, not including services
+              defined from config files.
            list:services: List services, including at least their names.
            read:services: Read service models.
            read:services:name: Read service names.
--- a/jupyterhub/alembic/versions/3c2384c5aae1_add_from_config_column_to_the_services_.py
+++ b/jupyterhub/alembic/versions/3c2384c5aae1_add_from_config_column_to_the_services_.py
@@ -11,8 +11,8 @@ down_revision = '0eee8c825d24'
 branch_labels = None
 depends_on = None

-from alembic import op
 import sqlalchemy as sa
+from alembic import op


 def upgrade():
@@ -25,5 +25,6 @@ def upgrade():
        )
        op.execute('UPDATE services SET from_config = true')

+
 def downgrade():
    op.drop_column('services', sa.Column('from_config'))
--- a/jupyterhub/apihandlers/base.py
+++ b/jupyterhub/apihandlers/base.py
@@ -2,7 +2,6 @@
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
 import json
-from typing import Union
 import warnings
 from functools import lru_cache
 from http.client import responses
@@ -410,7 +409,7 @@ class APIHandler(BaseHandler):
        'environment': dict,
        'user': str,
        'oauth_client_id': str,
-        'oauth_redirect_uri': str
+        'oauth_redirect_uri': str,
    }

    def _check_model(self, model, model_types, name):
@@ -454,7 +453,7 @@ class APIHandler(BaseHandler):
    def _check_service_model(self, model):
        """Check a request-provided service model from a REST API"""
        self._check_model(model, self._service_model_types, 'service')
-        service_name =  model.get('name')
+        service_name = model.get('name')
        if not isinstance(service_name, str):
            raise web.HTTPError(
                400, ("Service name must be str, not %r", type(service_name))
--- a/jupyterhub/apihandlers/services.py
+++ b/jupyterhub/apihandlers/services.py
@@ -6,9 +6,10 @@ Currently GET-only, no actions can be taken to modify services.
 # Distributed under the terms of the Modified BSD License.
 import json

+from tornado import web
+
 from ..scopes import Scope, needs_scope
 from .base import APIHandler
-from tornado import web


 class ServiceListAPIHandler(APIHandler):
@@ -29,7 +30,7 @@ class ServiceAPIHandler(APIHandler):
        service = self.services[service_name]
        self.write(json.dumps(self.service_model(service)))

-    @needs_scope('read:services', 'read:services:name', 'read:roles:services')
+    @needs_scope('admin:services')
    def post(self, service_name: str):
        data = self.get_json_body()
        service = self.find_service(service_name)
@@ -39,7 +40,7 @@ class ServiceAPIHandler(APIHandler):

        if not data or not isinstance(data, dict):
            raise web.HTTPError(400, "Invalid service data")
-    
+
        data['name'] = service_name
        self._check_service_model(data)
        self.service_from_spec(data)
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -2381,11 +2381,9 @@ class JupyterHub(Application):
        name = spec['name']
        # get/create orm
        orm_service = orm.Service.find(self.db, name=name)
-        print('########### found', name, orm_service)
        if orm_service is None:
            # not found, create a new one
            orm_service = orm.Service(name=name, from_config=from_config)
-            print('########### adding', name, orm_service)
            self.db.add(orm_service)
            if spec.get('admin', False):
                self.log.warning(
@@ -2396,7 +2394,6 @@ class JupyterHub(Application):
                )
                roles.update_roles(self.db, entity=orm_service, roles=['admin'])
        orm_service.admin = spec.get('admin', False)
-        print('commiting db', name)
        self.db.commit()
        service = Service(
            parent=self,
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -8,11 +8,11 @@ import math
 import random
 import re
 import time
-from typing import Optional
 import uuid
 import warnings
 from datetime import datetime, timedelta
 from http.client import responses
+from typing import Optional
 from urllib.parse import parse_qs, parse_qsl, urlencode, urlparse, urlunparse

 from jinja2 import TemplateNotFound
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -34,6 +34,7 @@ def get_default_roles():
                'admin-ui',
                'admin:users',
                'admin:servers',
+                'admin:services',
                'tokens',
                'admin:groups',
                'list:services',
--- a/jupyterhub/scopes.py
+++ b/jupyterhub/scopes.py
@@ -123,6 +123,10 @@ scope_definitions = {
    'delete:groups': {
        'description': "Delete groups.",
    },
+    'admin:services': {
+        'description': 'Create, read, update, delete services, not including services defined from config files.',
+        'subscopes': ['list:services', 'read:services', 'read:roles:services'],
+    },
    'list:services': {
        'description': 'List services, including at least their names.',
        'subscopes': ['read:services:name'],
@@ -435,7 +439,7 @@ def _expand_self_scope(username):

@lru_cache(maxsize=65535)
 def _expand_scope(scope):
-    """Returns a scope and all all subscopes
+    """Returns a scope and all subscopes

    Arguments:
      scope (str): the scope to expand