hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-09 19:13:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactored scope description to be usable for both docs and authorization page

Browse Source
This commit is contained in:
0mar
2021-06-11 11:44:10 +02:00
parent a605ad9c44
commit d169359d51
3 changed files with 37 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/source/rbac/generate-scope-table.py
View File

@@ -61,6 +61,9 @@ class ScopeTableGenerator:
def _add_subscopes(table_rows, scopename, depth=0): def _add_subscopes(table_rows, scopename, depth=0):
description = self.scopes[scopename]['description'] description = self.scopes[scopename]['description']
meta_description = self.scopes[scopename].get('metadescription', '')
if meta_description:
description = description.rstrip('.') + f" ({meta_description})."
table_row = [f"{md_indent*depth}`{scopename}`", description] table_row = [f"{md_indent*depth}`{scopename}`", description]
table_rows.append(table_row) table_rows.append(table_row)
for subscope in scope_pairs[scopename]: for subscope in scope_pairs[scopename]:
@@ -76,7 +79,7 @@ class ScopeTableGenerator:
"""Generates the scope table in markdown format and writes it into scope-table.md file""" """Generates the scope table in markdown format and writes it into scope-table.md file"""
filename = f"{HERE}/scope-table.md" filename = f"{HERE}/scope-table.md"
table_name = "" table_name = ""
headers = ["Scope", "Description"] headers = ["Scope", "Grants permission to:"]
values = self._parse_scopes() values = self._parse_scopes()
writer = self.create_writer(table_name, headers, values) writer = self.create_writer(table_name, headers, values)

65
jupyterhub/scopes.py
View File

@@ -23,82 +23,79 @@ from . import orm
from . import roles from . import roles
scope_definitions = { scope_definitions = {
'(no_scope)': {'description': 'Allows for only identifying the owning entity.'}, '(no_scope)': {'description': 'Identify the owner of this entity.'},
'self': { 'self': {
'description': 'Metascope, grants access to users own resources only; resolves to (no_scope) for services.' 'description': 'The users own resources.',
'metadescription': 'metascope for users, resolves to (no_scope) for services',
}, },
'all': { 'all': {
'description': 'Metascope, valid for tokens only. Grants access to everything that the token-owning entity can access.' 'description': 'Everything that the token-owning entity can access.',
'metadescription': 'metascope for tokens',
}, },
'admin:users': { 'admin:users': {
'description': 'Grants read, write, create and delete access to users and their authentication state, not including their servers or tokens.', 'description': 'Read, write, create and delete users and their authentication state, not including their servers or tokens.',
'subscopes': ['admin:users:auth_state', 'users', 'read:users:roles'], 'subscopes': ['admin:users:auth_state', 'users', 'read:users:roles'],
}, },
'admin:users:auth_state': { 'admin:users:auth_state': {'description': 'Read a users authentication state.'},
'description': 'Grants access to user authentication state.'
},
'users': { 'users': {
'description': 'Grants read and write permissions to user models, not including servers, tokens and authentication state.', 'description': 'Read and write permissions to user models, e servers, tokens and authentication state.',
'subscopes': ['read:users', 'users:activity'], 'subscopes': ['read:users', 'users:activity'],
}, },
'read:users': { 'read:users': {
'description': 'Read-only access to user models, not including servers, tokens and authentication state.', 'description': 'Read user models, (exluding including servers, tokens and authentication state).',
'subscopes': [ 'subscopes': [
'read:users:name', 'read:users:name',
'read:users:groups', 'read:users:groups',
'read:users:activity', 'read:users:activity',
], ],
}, },
'read:users:name': {'description': 'Read-only access to users names.'}, 'read:users:name': {'description': 'Read names of users.'},
'read:users:groups': {'description': 'Read-only access to users group names.'}, 'read:users:groups': {'description': 'Read names of users groups.'},
'read:users:activity': {'description': 'Read-only access to users last activity.'}, 'read:users:activity': {'description': 'Read time of last user activity'},
# todo: describe that it only specifies timestamp of activity 'read:users:roles': {'description': 'Read names of users roles.'},
'read:users:roles': {'description': 'Read-only access to user roles.'},
'users:activity': { 'users:activity': {
'description': 'Grants access to read and update user activity.', 'description': 'Update time of last user activity.',
'subscopes': ['read:users:activity'], 'subscopes': ['read:users:activity'],
}, },
'admin:users:servers': { 'admin:users:servers': {
'description': 'Grants read, start/stop, create and delete permissions to user servers and their state.', 'description': 'Read, start, stop, create and delete user servers and their state.',
'subscopes': ['admin:users:server_state', 'users:servers'], 'subscopes': ['admin:users:server_state', 'users:servers'],
}, },
'admin:users:server_state': {'description': 'Grants access to server state only.'}, 'admin:users:server_state': {'description': 'Read and write users server state.'},
'users:servers': { 'users:servers': {
'description': 'Allows for starting/stopping user servers. Does not include the server state.', 'description': 'Start and stop user servers.',
'subscopes': ['read:users:servers'], 'subscopes': ['read:users:servers'],
}, },
'read:users:servers': { 'read:users:servers': {
'description': 'Read-only access to users names and their server models. Does not include the server state.', 'description': 'Read users names and their server models. Does not include the server state.',
'subscopes': ['read:users:name'], 'subscopes': ['read:users:name'],
}, },
'users:tokens': { 'users:tokens': {
'description': 'Grants read, write, create and delete permissions for user tokens.', 'description': 'Read, write, create and delete user tokens.',
'subscopes': ['read:users:tokens'], 'subscopes': ['read:users:tokens'],
}, },
'read:users:tokens': {'description': 'Read-only access to user tokens.'}, 'read:users:tokens': {'description': 'Read user tokens.'},
'admin:groups': { 'admin:groups': {
'description': 'Grants read, write, create and delete access to groups.', 'description': 'Read and write group information, create and delete groups.',
'subscopes': ['groups', 'read:groups:roles'], 'subscopes': ['groups', 'read:groups:roles'],
}, },
'groups': { 'groups': {
'description': 'Grants read and write permissions to groups, including adding/removing users to/from groups.', 'description': 'Read and write group information, including adding/removing users to/from groups.',
'subscopes': ['read:groups'], 'subscopes': ['read:groups'],
}, },
'read:groups': { 'read:groups': {
'description': 'Read-only access to group models.', 'description': 'Read group models.',
'subscopes': ['read:groups:name'], 'subscopes': ['read:groups:name'],
}, },
'read:groups:name': {'description': 'Read-only access to group names.'}, 'read:groups:name': {'description': 'Read group names.'},
'read:groups:roles': {'description': 'Read-only access to group role names.'}, 'read:groups:roles': {'description': 'Read group role names.'},
'read:services': { 'read:services': {
'description': 'Read-only access to service models.', 'description': 'Read service models.',
'subscopes': ['read:services:name'], 'subscopes': ['read:services:name'],
}, },
'read:services:name': {'description': 'Read-only access to service names.'}, 'read:services:name': {'description': 'Read service names.'},
'read:services:roles': {'description': 'Read-only access to service role names.'}, 'read:services:roles': {'description': 'Read service role names.'},
'read:hub': { 'read:hub': {'description': 'Read detailed information about the Hub.'},
'description': 'Read-only access to detailed information about the Hub.'
},
'access:users:servers': { 'access:users:servers': {
'description': 'Access user servers via API or browser.', 'description': 'Access user servers via API or browser.',
}, },
@@ -106,9 +103,9 @@ scope_definitions = {
'description': 'Access services via API or browser.', 'description': 'Access services via API or browser.',
}, },
'proxy': { 'proxy': {
'description': 'Allows for obtaining information about the proxys routing table, for syncing the Hub with proxy and notifying the Hub about a new proxy.' 'description': 'Read information about the proxys routing table, sync the Hub with the proxy and notify the Hub about a new proxy.'
}, },
'shutdown': {'description': 'Grants access to shutdown the hub.'}, 'shutdown': {'description': 'Shutdown the hub.'},
} }

4
share/jupyterhub/templates/oauth.html
View File

@@ -21,7 +21,7 @@
{% endif %} {% endif %}
</p> </p>
<h3>The application will be able to:</h3> <h3>This will grant the application permission to:</h3>
<div> <div>
<form method="POST" action=""> <form method="POST" action="">
{# these are the 'real' inputs to the form -#} {# these are the 'real' inputs to the form -#}
@@ -38,7 +38,7 @@
<span> <span>
{{ scope_info['description'] }} {{ scope_info['description'] }}
{% if scope_info['filter'] %} {% if scope_info['filter'] %}
For {{ scope_info['filter'] }}. Applies to {{ scope_info['filter'] }}.
{% endif %} {% endif %}
</span> </span>
</label> </label>