Question regarding API Token Scopes when using nbgrader with JupyterHub #1900
Comments
|
Note that JupyterHub 4 does not have a UI for creating tokens with limited scopes. This was added in jupyterhub/jupyterhub#4578 |
|
scopes |
|
@jeflem It works for me with just |
|
@lahwaacz Depends on your usecase and your overall JHub configuration. If you enrole a student via formgrader, the formgrader wants to add this student to a group, for instance, which is not possible with your set of scopes. And if you enrole a student not yet known to the hub, then formgrader needs to add this user to JHub's user list. As far as I remember, all scopes listed in my comment above stem from fixing some formgrader errors. In this sense they are required by formgrader (but of course might by slightly to wide). |
This works with the
You need Overall, I think that nbgrader should not require any admin scope. Remember that people using nbgrader essentially get the same permission scopes and they can run any code on JupyterHub, not just nbgrader. |
That's true and maybe a problem in my setup. Will check this soon... |
The documentation (https://nbgrader.readthedocs.io/en/stable/configuration/jupyterhub_config.html#jupyterhub-authentication) states "The course service additionally needs to have an API token set that is from a JupyterHub admin (see JupyterHub documentation)."
But does not specify what scopes are necessary for the token.
It would be good if it was known what the minimal scopes (https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes) are to run nbgrader.
The best would be to include that information into the documentation.
Operating system
nbgrader --version0.9.2
jupyterhub --version(if used with JupyterHub)Expected behavior
Minimal rights for grader-course-entities with nbgrader still capabale to run
Actual behavior
grader-course-entities gets some form of admin access
The text was updated successfully, but these errors were encountered: