Implement load_managed_roles, allow to assign scopes

and update roles (but not assign them to users/groups) by using `load_roles` when `Authenticator.manage_roles` is on.
2025-10-17 15:03:02 +00:00 · 2024-03-26 17:51:25 +00:00
parent 26906cca07
commit b7d68ca255
5 changed files with 141 additions and 12 deletions
--- a/docs/source/reference/authenticators.md
+++ b/docs/source/reference/authenticators.md
@@ -337,7 +337,11 @@ which is a list of roles that user should be assigned to:

 If authenticator-managed groups are enabled,
 all group-management via the API is disabled,
-and roles cannot be specified with `load_roles` traitlet.
+and roles cannot be assigned to groups nor users via `load_roles` traitlet
+(roles can still be created via `load_roles` or assigned to services).
+
+When an authenticator manages roles, the initial roles and role assignments
+can be loaded from role specifications returned by the `Authenticator.load_managed_roles()` method.

 ## pre_spawn_start and post_spawn_stop hooks