From cdc99580deab22a51bb2929b35824187cf0a004c Mon Sep 17 00:00:00 2001 From: IvanaH8 Date: Wed, 28 Apr 2021 17:19:52 +0200 Subject: [PATCH 1/4] Update scope hierarchy in roles.py and tests --- jupyterhub/roles.py | 12 +++++++----- jupyterhub/tests/test_roles.py | 18 +++++++++++++++--- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py index 6ea75a89..afb4f4f0 100644 --- a/jupyterhub/roles.py +++ b/jupyterhub/roles.py @@ -87,18 +87,20 @@ def _get_scope_hierarchy(): scopes = { 'self': None, 'all': None, - 'users': ['read:users', 'users:groups', 'users:activity'], + 'admin:users': ['admin:users:auth_state', 'users'], + 'users': ['read:users', 'users:activity'], 'read:users': [ 'read:users:name', 'read:users:groups', 'read:users:activity', ], + 'users:activity': ['read:users:activity'], 'users:tokens': ['read:users:tokens'], - 'admin:users': ['admin:users:auth_state'], - 'admin:users:servers': ['admin:users:server_state'], - 'groups': ['read:groups'], + 'admin:users:servers': ['admin:users:server_state', 'users:servers'], 'users:servers': ['read:users:servers'], - 'admin:groups': None, + 'read:users:servers': ['read:users:name'], + 'admin:groups': ['groups'], + 'groups': ['read:groups'], 'read:services': None, 'read:hub': None, 'proxy': None, diff --git a/jupyterhub/tests/test_roles.py b/jupyterhub/tests/test_roles.py index f538ff21..30e442dc 100644 --- a/jupyterhub/tests/test_roles.py +++ b/jupyterhub/tests/test_roles.py @@ -175,13 +175,25 @@ def test_orm_roles_delete_cascade(db): @mark.parametrize( "scopes, subscopes", [ + ( + ['admin:users'], + { + 'admin:users', + 'admin:users:auth_state', + 'users', + 'read:users', + 'users:activity', + 'read:users:name', + 'read:users:groups', + 'read:users:activity', + }, + ), ( ['users'], { 'users', 'read:users', 'users:activity', - 'users:groups', 'read:users:name', 'read:users:groups', 'read:users:activity', @@ -196,8 +208,8 @@ def test_orm_roles_delete_cascade(db): 'read:users:activity', }, ), - (['read:users:servers'], {'read:users:servers'}), - (['admin:groups'], {'admin:groups'}), + (['read:users:servers'], {'read:users:servers', 'read:users:name'}), + (['admin:groups'], {'admin:groups', 'groups', 'read:groups'}), ( ['users:tokens!group=hobbits'], {'users:tokens!group=hobbits', 'read:users:tokens!group=hobbits'}, From b2c286691521a25608438079303497cc7c38cd57 Mon Sep 17 00:00:00 2001 From: IvanaH8 Date: Wed, 28 Apr 2021 17:34:19 +0200 Subject: [PATCH 2/4] Update admin role scopes list --- jupyterhub/roles.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py index afb4f4f0..a685e1cd 100644 --- a/jupyterhub/roles.py +++ b/jupyterhub/roles.py @@ -23,13 +23,9 @@ def get_default_roles(): 'name': 'admin', 'description': 'Admin privileges (currently can do everything)', 'scopes': [ - 'all', - 'users', - 'users:servers', - 'users:tokens', 'admin:users', 'admin:users:servers', - 'groups', + 'users:tokens', 'admin:groups', 'read:services', 'read:hub', From 60c73de8b2bf1e90109fa4f866c8aa36a4c699ec Mon Sep 17 00:00:00 2001 From: IvanaH8 Date: Thu, 29 Apr 2021 09:23:43 +0200 Subject: [PATCH 3/4] Change read:users(services):admin scope to read:users(services):roles --- jupyterhub/roles.py | 4 +++- jupyterhub/scopes.py | 4 ++-- jupyterhub/tests/test_roles.py | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py index a685e1cd..b07591be 100644 --- a/jupyterhub/roles.py +++ b/jupyterhub/roles.py @@ -64,6 +64,7 @@ def expand_self_scope(name): 'users', 'users:name', 'users:groups', + 'users:roles', 'users:activity', 'users:servers', 'users:tokens', @@ -88,6 +89,7 @@ def _get_scope_hierarchy(): 'read:users': [ 'read:users:name', 'read:users:groups', + 'read:users:roles', 'read:users:activity', ], 'users:activity': ['read:users:activity'], @@ -97,7 +99,7 @@ def _get_scope_hierarchy(): 'read:users:servers': ['read:users:name'], 'admin:groups': ['groups'], 'groups': ['read:groups'], - 'read:services': None, + 'read:services': ['read:services:name', 'read:services:roles'], 'read:hub': None, 'proxy': None, 'shutdown': None, diff --git a/jupyterhub/scopes.py b/jupyterhub/scopes.py index c5e6365c..ac68f6e6 100644 --- a/jupyterhub/scopes.py +++ b/jupyterhub/scopes.py @@ -208,11 +208,11 @@ def identify_scopes(obj): if isinstance(obj, orm.User): return { f"read:users:{field}!user={obj.name}" - for field in {"name", "admin", "groups"} + for field in {"name", "roles", "groups"} } elif isinstance(obj, orm.Service): return { - f"read:services:{field}!service={obj.name}" for field in {"name", "admin"} + f"read:services:{field}!service={obj.name}" for field in {"name", "roles"} } else: raise TypeError(f"Expected orm.User or orm.Service, got {obj!r}") diff --git a/jupyterhub/tests/test_roles.py b/jupyterhub/tests/test_roles.py index 30e442dc..9fede4bd 100644 --- a/jupyterhub/tests/test_roles.py +++ b/jupyterhub/tests/test_roles.py @@ -185,6 +185,7 @@ def test_orm_roles_delete_cascade(db): 'users:activity', 'read:users:name', 'read:users:groups', + 'read:users:roles', 'read:users:activity', }, ), @@ -196,6 +197,7 @@ def test_orm_roles_delete_cascade(db): 'users:activity', 'read:users:name', 'read:users:groups', + 'read:users:roles', 'read:users:activity', }, ), @@ -205,6 +207,7 @@ def test_orm_roles_delete_cascade(db): 'read:users', 'read:users:name', 'read:users:groups', + 'read:users:roles', 'read:users:activity', }, ), From cc35d84f257cfa037cb1e9a67acfad8c455c1c1c Mon Sep 17 00:00:00 2001 From: IvanaH8 Date: Fri, 30 Apr 2021 15:13:29 +0200 Subject: [PATCH 4/4] Revert "Change read:users(services):admin scope to read:users(services):roles" read:users(services):roles scopes will be added together with changes to api handlers --- jupyterhub/roles.py | 4 +--- jupyterhub/scopes.py | 4 ++-- jupyterhub/tests/test_roles.py | 3 --- 3 files changed, 3 insertions(+), 8 deletions(-) diff --git a/jupyterhub/roles.py b/jupyterhub/roles.py index b07591be..a685e1cd 100644 --- a/jupyterhub/roles.py +++ b/jupyterhub/roles.py @@ -64,7 +64,6 @@ def expand_self_scope(name): 'users', 'users:name', 'users:groups', - 'users:roles', 'users:activity', 'users:servers', 'users:tokens', @@ -89,7 +88,6 @@ def _get_scope_hierarchy(): 'read:users': [ 'read:users:name', 'read:users:groups', - 'read:users:roles', 'read:users:activity', ], 'users:activity': ['read:users:activity'], @@ -99,7 +97,7 @@ def _get_scope_hierarchy(): 'read:users:servers': ['read:users:name'], 'admin:groups': ['groups'], 'groups': ['read:groups'], - 'read:services': ['read:services:name', 'read:services:roles'], + 'read:services': None, 'read:hub': None, 'proxy': None, 'shutdown': None, diff --git a/jupyterhub/scopes.py b/jupyterhub/scopes.py index ac68f6e6..c5e6365c 100644 --- a/jupyterhub/scopes.py +++ b/jupyterhub/scopes.py @@ -208,11 +208,11 @@ def identify_scopes(obj): if isinstance(obj, orm.User): return { f"read:users:{field}!user={obj.name}" - for field in {"name", "roles", "groups"} + for field in {"name", "admin", "groups"} } elif isinstance(obj, orm.Service): return { - f"read:services:{field}!service={obj.name}" for field in {"name", "roles"} + f"read:services:{field}!service={obj.name}" for field in {"name", "admin"} } else: raise TypeError(f"Expected orm.User or orm.Service, got {obj!r}") diff --git a/jupyterhub/tests/test_roles.py b/jupyterhub/tests/test_roles.py index 9fede4bd..30e442dc 100644 --- a/jupyterhub/tests/test_roles.py +++ b/jupyterhub/tests/test_roles.py @@ -185,7 +185,6 @@ def test_orm_roles_delete_cascade(db): 'users:activity', 'read:users:name', 'read:users:groups', - 'read:users:roles', 'read:users:activity', }, ), @@ -197,7 +196,6 @@ def test_orm_roles_delete_cascade(db): 'users:activity', 'read:users:name', 'read:users:groups', - 'read:users:roles', 'read:users:activity', }, ), @@ -207,7 +205,6 @@ def test_orm_roles_delete_cascade(db): 'read:users', 'read:users:name', 'read:users:groups', - 'read:users:roles', 'read:users:activity', }, ),