Merge branch 'rbac' into fix_role_init

2025-10-17 06:52:59 +00:00 · 2021-05-05 16:01:03 +02:00
parent c61b8e60c2 3d3c84a2b3
commit bbf251ed13
2 changed files with 19 additions and 10 deletions
--- a/jupyterhub/roles.py
+++ b/jupyterhub/roles.py
@@ -23,13 +23,9 @@ def get_default_roles():
            'name': 'admin',
            'description': 'Admin privileges (currently can do everything)',
            'scopes': [
-                'all',
-                'users',
-                'users:servers',
-                'users:tokens',
                'admin:users',
                'admin:users:servers',
-                'groups',
+                'users:tokens',
                'admin:groups',
                'read:services',
                'read:hub',
@@ -87,6 +83,7 @@ def _get_scope_hierarchy():
    scopes = {
        'self': None,
        'all': None,
+        'admin:users': ['admin:users:auth_state', 'users'],
        'users': ['read:users', 'users:activity'],
        'read:users': [
            'read:users:name',
@@ -95,12 +92,11 @@ def _get_scope_hierarchy():
        ],
        'users:activity': ['read:users:activity'],
        'users:tokens': ['read:users:tokens'],
-        'admin:users': ['admin:users:auth_state'],
-        'admin:users:servers': ['admin:users:server_state'],
-        'groups': ['read:groups'],
+        'admin:users:servers': ['admin:users:server_state', 'users:servers'],
        'users:servers': ['read:users:servers'],
        'read:users:servers': ['read:users:name'],
-        'admin:groups': None,
+        'admin:groups': ['groups'],
+        'groups': ['read:groups'],
        'read:services': None,
        'read:hub': None,
        'proxy': None,
--- a/jupyterhub/tests/test_roles.py
+++ b/jupyterhub/tests/test_roles.py
@@ -177,6 +177,19 @@ def test_orm_roles_delete_cascade(db):
@mark.parametrize(
    "scopes, subscopes",
    [
+        (
+            ['admin:users'],
+            {
+                'admin:users',
+                'admin:users:auth_state',
+                'users',
+                'read:users',
+                'users:activity',
+                'read:users:name',
+                'read:users:groups',
+                'read:users:activity',
+            },
+        ),
        (
            ['users'],
            {
@@ -198,7 +211,7 @@ def test_orm_roles_delete_cascade(db):
            },
        ),
        (['read:users:servers'], {'read:users:servers', 'read:users:name'}),
-        (['admin:groups'], {'admin:groups'}),
+        (['admin:groups'], {'admin:groups', 'groups', 'read:groups'}),
        (
            ['users:tokens!group=hobbits'],
            {'users:tokens!group=hobbits', 'read:users:tokens!group=hobbits'},