Add RBAC support to JupyterLab

[hbcarlos]

Problem

If we want to restrict actions to collaborators, we need to set different roles.
I'm already working on a PR to add a new package that represents the active user by introducing a new interface IUser, a new token ICurrentUser and an extension to implement a basic model User that stores the user info in the browser. The interface IUser has the attribute role defining four new roles ADMIN, READ, WRITE, RUN.

For now, In #11180, I just added the attribute, but I'm not using it in any other place (I think we should open another PR to restrict the actions of a collaborator).

The main problem is that Jupiter Server doesn't have RBAC. For that reason, the new extension creates anonymous users with the role ADMIN. Every user can do any action.

Proposed Solution

Make core extensions depend on the new package user and limit the different actions by roles.

[krassowski]

How does this proposal and PR fit together with the RBAC support implemented by JupyterHub team in 2.0 release (jupyterhub/jupyterhub#2245 and jupyterhub/jupyterhub#3438) and with the ongoing work in jupyter server in: jupyter-server/jupyter_server#165 and in jupyter-server/jupyter_server#540? Sorry if this is a trivial question, I would just like to understand the landscape a little bit more (and cross-reference the issues so we can navigate easily between projects). Is there a coordination activity/document so that someone who is not actively working in this domain could catch up? Thanks!

[hbcarlos]

Hey @krassowski! It is not a trivial question. It is the right one.
The idea is to follow what JupyterHub and Jupyter Server do, to have the exact implementation across projects, so everyone benefits from it.
For now, there is no coordination. I think we can start defining the roles for the user and the scopes for the different actions based on the work happening in here and JupyterHub's documentation here.

[fcollonval]

Although this is tagged for Real-Time Collaboration, I did not move it to jupyter_collaboration repository as it is likely to require work in core (as the identity and authorization are part of Jupyter Server).

[krassowski]

With the past changes in jupyter-server and JupyterHub is there any more work that needs to be done on JupyterLab side?

[krassowski]

Thinking out loud it could be useful to show that authorization layer of jupyter-server forbids certain actions. I think that we should not add authorization logic on the frontend side as it could be easily circumvented.

This issue is not clear on the scope, nor specific addition to be made - input from the community is welcome.