hazza/jupyterhub
1
0
Fork 0
mirror of https://github.com/jupyterhub/jupyterhub.git synced 2025-10-08 02:24:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactored scope description to be usable for both docs and authorization page

Browse Source
This commit is contained in:
0mar
2021-06-11 11:44:10 +02:00
parent a605ad9c44
commit d169359d51
3 changed files with 37 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/source/rbac/generate-scope-table.py
View File

@@ -61,6 +61,9 @@ class ScopeTableGenerator:
def _add_subscopes(table_rows, scopename, depth=0):
description = self.scopes[scopename]['description']
meta_description = self.scopes[scopename].get('metadescription', '')
if meta_description:
description = description.rstrip('.') + f" ({meta_description})."
table_row = [f"{md_indent*depth}`{scopename}`", description]
table_rows.append(table_row)
for subscope in scope_pairs[scopename]:
@@ -76,7 +79,7 @@ class ScopeTableGenerator:
"""Generates the scope table in markdown format and writes it into scope-table.md file"""
filename = f"{HERE}/scope-table.md"
table_name = ""
headers = ["Scope", "Description"]
headers = ["Scope", "Grants permission to:"]
values = self._parse_scopes()
writer = self.create_writer(table_name, headers, values)

65
jupyterhub/scopes.py
View File

@@ -23,82 +23,79 @@ from . import orm
from . import roles
scope_definitions = {
'(no_scope)': {'description': 'Allows for only identifying the owning entity.'},
'(no_scope)': {'description': 'Identify the owner of this entity.'},
'self': {
'description': 'Metascope, grants access to users own resources only; resolves to (no_scope) for services.'
'description': 'The users own resources.',
'metadescription': 'metascope for users, resolves to (no_scope) for services',
},
'all': {
'description': 'Metascope, valid for tokens only. Grants access to everything that the token-owning entity can access.'
'description': 'Everything that the token-owning entity can access.',
'metadescription': 'metascope for tokens',
},
'admin:users': {
'description': 'Grants read, write, create and delete access to users and their authentication state, not including their servers or tokens.',
'description': 'Read, write, create and delete users and their authentication state, not including their servers or tokens.',
'subscopes': ['admin:users:auth_state', 'users', 'read:users:roles'],
},
'admin:users:auth_state': {
'description': 'Grants access to user authentication state.'
},
'admin:users:auth_state': {'description': 'Read a users authentication state.'},
'users': {
'description': 'Grants read and write permissions to user models, not including servers, tokens and authentication state.',
'description': 'Read and write permissions to user models, e servers, tokens and authentication state.',
'subscopes': ['read:users', 'users:activity'],
},
'read:users': {
'description': 'Read-only access to user models, not including servers, tokens and authentication state.',
'description': 'Read user models, (exluding including servers, tokens and authentication state).',
'subscopes': [
'read:users:name',
'read:users:groups',
'read:users:activity',
],
},
'read:users:name': {'description': 'Read-only access to users names.'},
'read:users:groups': {'description': 'Read-only access to users group names.'},
'read:users:activity': {'description': 'Read-only access to users last activity.'},
# todo: describe that it only specifies timestamp of activity
'read:users:roles': {'description': 'Read-only access to user roles.'},
'read:users:name': {'description': 'Read names of users.'},
'read:users:groups': {'description': 'Read names of users groups.'},
'read:users:activity': {'description': 'Read time of last user activity'},
'read:users:roles': {'description': 'Read names of users roles.'},
'users:activity': {
'description': 'Grants access to read and update user activity.',
'description': 'Update time of last user activity.',
'subscopes': ['read:users:activity'],
},
'admin:users:servers': {
'description': 'Grants read, start/stop, create and delete permissions to user servers and their state.',
'description': 'Read, start, stop, create and delete user servers and their state.',
'subscopes': ['admin:users:server_state', 'users:servers'],
},
'admin:users:server_state': {'description': 'Grants access to server state only.'},
'admin:users:server_state': {'description': 'Read and write users server state.'},
'users:servers': {
'description': 'Allows for starting/stopping user servers. Does not include the server state.',
'description': 'Start and stop user servers.',
'subscopes': ['read:users:servers'],
},
'read:users:servers': {
'description': 'Read-only access to users names and their server models. Does not include the server state.',
'description': 'Read users names and their server models. Does not include the server state.',
'subscopes': ['read:users:name'],
},
'users:tokens': {
'description': 'Grants read, write, create and delete permissions for user tokens.',
'description': 'Read, write, create and delete user tokens.',
'subscopes': ['read:users:tokens'],
},
'read:users:tokens': {'description': 'Read-only access to user tokens.'},
'read:users:tokens': {'description': 'Read user tokens.'},
'admin:groups': {
'description': 'Grants read, write, create and delete access to groups.',
'description': 'Read and write group information, create and delete groups.',
'subscopes': ['groups', 'read:groups:roles'],
},
'groups': {
'description': 'Grants read and write permissions to groups, including adding/removing users to/from groups.',
'description': 'Read and write group information, including adding/removing users to/from groups.',
'subscopes': ['read:groups'],
},
'read:groups': {
'description': 'Read-only access to group models.',
'description': 'Read group models.',
'subscopes': ['read:groups:name'],
},
'read:groups:name': {'description': 'Read-only access to group names.'},
'read:groups:roles': {'description': 'Read-only access to group role names.'},
'read:groups:name': {'description': 'Read group names.'},
'read:groups:roles': {'description': 'Read group role names.'},
'read:services': {
'description': 'Read-only access to service models.',
'description': 'Read service models.',
'subscopes': ['read:services:name'],
},
'read:services:name': {'description': 'Read-only access to service names.'},
'read:services:roles': {'description': 'Read-only access to service role names.'},
'read:hub': {
'description': 'Read-only access to detailed information about the Hub.'
},
'read:services:name': {'description': 'Read service names.'},
'read:services:roles': {'description': 'Read service role names.'},
'read:hub': {'description': 'Read detailed information about the Hub.'},
'access:users:servers': {
'description': 'Access user servers via API or browser.',
},
@@ -106,9 +103,9 @@ scope_definitions = {
'description': 'Access services via API or browser.',
},
'proxy': {
'description': 'Allows for obtaining information about the proxys routing table, for syncing the Hub with proxy and notifying the Hub about a new proxy.'
'description': 'Read information about the proxys routing table, sync the Hub with the proxy and notify the Hub about a new proxy.'
},
'shutdown': {'description': 'Grants access to shutdown the hub.'},
'shutdown': {'description': 'Shutdown the hub.'},
}

4
share/jupyterhub/templates/oauth.html
View File

@@ -21,7 +21,7 @@
{% endif %}
</p>
<h3>The application will be able to:</h3>
<h3>This will grant the application permission to:</h3>
<div>
<form method="POST" action="">
{# these are the 'real' inputs to the form -#}
@@ -38,7 +38,7 @@
<span>
{{ scope_info['description'] }}
{% if scope_info['filter'] %}
For {{ scope_info['filter'] }}.
Applies to {{ scope_info['filter'] }}.
{% endif %}
</span>
</label>