jupyterhub/examples/read-only/jupyterhub_config.py

c = get_config()  # noqa

# define custom scopes so they can be assigned to users
# these could be

c.JupyterHub.custom_scopes = {
    "custom:jupyter_server:read:*": {
        "description": "read-only access to your server",
    },
    "custom:jupyter_server:write:*": {
        "description": "access to modify files on your server. Does not include execution.",
        "subscopes": ["custom:jupyter_server:read:*"],
    },
    "custom:jupyter_server:execute:*": {
        "description": "Execute permissions on servers.",
        "subscopes": [
            "custom:jupyter_server:write:*",
            "custom:jupyter_server:read:*",
        ],
    },
}

c.JupyterHub.load_roles = [
    # grant specific users read-only access to all servers
    {
        "name": "read-only-all",
        "scopes": [
            "access:servers",
            "custom:jupyter_server:read:*",
        ],
        "groups": ["read-only"],
    },
    {
        "name": "read-only-read-only-percy",
        "scopes": [
            "access:servers!user=percy",
            "custom:jupyter_server:read:*!user=percy",
        ],
        "users": ["vex"],
    },
    {
        "name": "admin-ui",
        "scopes": [
            "admin-ui",
            "list:users",
            "admin:servers",
        ],
        "users": ["admin"],
    },
    {
        "name": "full-access",
        "scopes": [
            "access:servers",
            "custom:jupyter_server:execute:*",
        ],
        "users": ["minrk"],
    },
    # all users have full access to their own servers
    {
        "name": "user",
        "scopes": [
            "custom:jupyter_server:execute:*!user",
            "custom:jupyter_server:read:*!user",
            "self",
        ],
    },
]

# servers request access to themselves

c.Spawner.oauth_client_allowed_scopes = [
    "access:servers!server",
    "custom:jupyter_server:read:*!server",
    "custom:jupyter_server:execute:*!server",
]

# enable the jupyter-server extension
c.Spawner.environment = {
    "JUPYTERHUB_SINGLEUSER_EXTENSION": "1",
}

from pathlib import Path

here = Path(__file__).parent.resolve()

# load the server config that enables granular permissions
c.Spawner.args = [
    f"--config={here}/jupyter_server_config.py",
]


# example boilerplate: dummy auth/spawner
c.JupyterHub.authenticator_class = 'dummy'
c.JupyterHub.spawner_class = 'simple'
c.JupyterHub.ip = '127.0.0.1'