jupyterhub / binderhub

Run your code in the cloud, with technology so advanced, it feels like magic!
https://binderhub.readthedocs.io
BSD 3-Clause "New" or "Revised" License
2.57k stars 390 forks source link

Reduce requested JupyterHub permissions and switch to using a role #1553

Open consideRatio opened 2 years ago

consideRatio commented 2 years ago

As @minrk commented in https://github.com/jupyterhub/binderhub/pull/1544#issuecomment-1277497482, it is now possible to reduce the JupyterHub API permissions requested by binderhub with JupyterHub's new RBAC system.

The binder service also should not need to be admin, we should define Binder's own permissions in a role. It needs:

  1. servers to read, start, and stop user servers
  2. admin:users (if not using auth)

It may make sense to define the role(s) dynamically in Python, because of the if auth_enabled logic involved. Or we could define two roles statically in config, and then assign the role dynamically, depending on if auth is enabled or not.

Alternately, it could get no permissions at all in the auth case, and we could perform the launch requests with the user's own token. That might be better! It would mean specifying the permission servers!user in the services.binder.oauth_client_allowed_scopes config. It would still mean defining the (default) binder role (or not) and then assigning it (or not) based on auth_enabled.