Disallow having both manage_roles and load_roles

2025-10-14 13:33:00 +00:00 · 2024-03-19 14:31:37 +00:00
parent 6a6c54fef5
commit a76e62dc65
2 changed files with 28 additions and 0 deletions
--- a/jupyterhub/app.py
+++ b/jupyterhub/app.py
@@ -2240,6 +2240,10 @@ class JupyterHub(Application):
        if self.custom_scopes:
            self.log.info(f"Defining {len(self.custom_scopes)} custom scopes.")
            scopes.define_custom_scopes(self.custom_scopes)
+
+        if self.authenticator.manage_roles and self.load_roles:
+            raise ValueError("Role management has been offloaded to the authenticator")
+
        self.log.debug('Loading roles into database')
        default_roles = roles.get_default_roles()
        config_role_names = [r['name'] for r in self.load_roles]
--- a/jupyterhub/tests/test_roles.py
+++ b/jupyterhub/tests/test_roles.py
@@ -1273,6 +1273,30 @@ async def test_admin_role_membership(in_db, role_users, admin_users, expected_me
    assert role_members == expected_members


+async def test_manage_roles_disallows_load_roles():
+    roles_to_load = [
+        {
+            'name': 'elephant',
+            'description': 'pacing about',
+            'scopes': ['read:hub'],
+        },
+    ]
+    hub = MockHub(load_roles=roles_to_load)
+    hub.init_db()
+    hub.authenticator.manage_roles = True
+    with pytest.raises(ValueError, match="offloaded to the authenticator"):
+        await hub.init_role_creation()
+
+
+async def test_manage_roles_loads_default_roles():
+    hub = MockHub()
+    hub.init_db()
+    hub.authenticator.manage_roles = True
+    await hub.init_role_creation()
+    admin_role = orm.Role.find(hub.db, 'admin')
+    assert admin_role
+
+
 async def test_no_default_service_role():
    services = [
        {