Disallow having both manage_roles and load_roles

jupyterhub/app.py

@@ -2240,6 +2240,10 @@ class JupyterHub(Application):
         if self.custom_scopes:
             self.log.info(f"Defining {len(self.custom_scopes)} custom scopes.")
             scopes.define_custom_scopes(self.custom_scopes)
+
+        if self.authenticator.manage_roles and self.load_roles:
+            raise ValueError("Role management has been offloaded to the authenticator")
+
         self.log.debug('Loading roles into database')
         default_roles = roles.get_default_roles()
         config_role_names = [r['name'] for r in self.load_roles]

jupyterhub/tests/test_roles.py

@@ -1273,6 +1273,30 @@ async def test_admin_role_membership(in_db, role_users, admin_users, expected_me
     assert role_members == expected_members
 
 
+async def test_manage_roles_disallows_load_roles():
+    roles_to_load = [
+        {
+            'name': 'elephant',
+            'description': 'pacing about',
+            'scopes': ['read:hub'],
+        },
+    ]
+    hub = MockHub(load_roles=roles_to_load)
+    hub.init_db()
+    hub.authenticator.manage_roles = True
+    with pytest.raises(ValueError, match="offloaded to the authenticator"):
+        await hub.init_role_creation()
+
+
+async def test_manage_roles_loads_default_roles():
+    hub = MockHub()
+    hub.init_db()
+    hub.authenticator.manage_roles = True
+    await hub.init_role_creation()
+    admin_role = orm.Role.find(hub.db, 'admin')
+    assert admin_role
+
+
 async def test_no_default_service_role():
     services = [
         {