[earthscope] Restrict access to dask-gateway JupyterHub service based on group membership

[yuvipanda]

Part of #3899

Not all users should be able to get access to dask-gateway - this should also be limited based on scopes granted to them.

Productboard link: https://2i2c.productboard.com/products/features/27020229/detail

This is something we have committed to as part of the SOW.

Dependencies

#3900, which provisions JupyterHub groups based on scopes granted to users.

Tasklist

Tasks

Beta Give feedback

1. Figure out how to restrict access to a particular JupyterHub service based on group membership in JupyterHub (https://2i2c.slack.com/archives/CKJS000F4/p1712121603619569?thread_ts=1712108545.029909&cid=CKJS000F4)
2. Cleanup our loadRoles to explicitly grant access for the services we care about (configurator and dask-gateway)
3. Provide override in earthscope hub that only allows users of a specific group to access that service

[yuvipanda]

Note that the current tasklist is a preliminary set of suggestions. Whoever works on this will be able to shape it as they desire.

[consideRatio]

I ran into an issue with the strategy planned that require exploration of dask-gateway development, as outlined on a very high level in dask/dask-gateway#829.

With that and no quick alterantives in my mind, this issue ballooned into something that won't resolve in this sprint =/

For now I'll work to offload insights about JupyterHub.load_roles and assumptions in our config for configurator/dask-gateway that doesn't seem true - without a crisp understanding about that we will struggle in the end anyhow with this issue.

[yuvipanda]

@consideRatio ah damn. I'll communicate this to the community and see what we can do.

[Gman0909]

Has there been any update on this from the communities? If not, does this issue need to be sent back to a scoping/refinement stage or is it best to park it for now?