Uneccessary warning generated

[jabbera]

Bug description

Starting a server with OAuth enabled (unsure if this matters) results in the following warning being generated in the log file. access:servers!server is the default scope of the server role.

UserWarning: Not expanding !server filter without target server in access:servers!server

Expected behaviour

No warning

Actual behaviour

Warning!

How to reproduce

helm chart installation of jupyterhub

Your personal set up

Whatever the docker image of the 2.0 helm chart uses!

Customized version of AzureAduthenticator

Logs:

Loading /usr/local/etc/jupyterhub/secret/values.yaml
No config at /usr/local/etc/jupyterhub/existing-secret/values.yaml
Loading extra config: 00-init.py
Loading extra config: 01-gmohub.py
[I 2023-06-04 16:32:01.610 JupyterHub hub_config:25] Configuring JupyterHub Nublado2 style
Loading extra config: 02-gmoauth.py
Loading extra config: 02-subdomain.py
Loading extra config: 03-environment.py
Loading extra config: 99-ssh-service.py
[I 2023-06-04 16:32:01.624 JupyterHub app:2810] Running JupyterHub version 3.1.1
[I 2023-06-04 16:32:01.624 JupyterHub app:2840] Using Authenticator: gmo.research.hub.GmoAzureAdAuthenticator.GmoAzureAdAuthenticator
[I 2023-06-04 16:32:01.624 JupyterHub app:2840] Using Spawner: kubespawner.spawner.KubeSpawner-4.3.0
[I 2023-06-04 16:32:01.624 JupyterHub app:2840] Using Proxy: jupyterhub.proxy.ConfigurableHTTPProxy-3.1.1
[I 2023-06-04 16:32:02.185 JupyterHub roles:183] Role attribute server.scopes has been changed
[I 2023-06-04 16:32:02.247 JupyterHub app:1969] Not using allowed_users. Any authenticated user will be allowed.
[I 2023-06-04 16:32:02.352 JupyterHub provider:661] Updating oauth client service-dask-gateway
[I 2023-06-04 16:32:02.407 JupyterHub provider:661] Updating oauth client service-gitrev
[W 2023-06-04 16:32:02.539 JupyterHub app:2692] Allowing service gitrev to complete OAuth without confirmation on an authorization web page
[I 2023-06-04 16:32:02.604 JupyterHub reflector:274] watching for events with field selector='involvedObject.kind=Pod' in namespace jhub
[I 2023-06-04 16:32:02.617 JupyterHub reflector:274] watching for pods with label selector='component=singleuser-server' in namespace jhub
[W 2023-06-04 16:32:02.626 JupyterHub _version:68] jupyterhub version 3.1.1 != jupyterhub-singleuser version 3.0.0. This could cause failure to authenticate and result in redirect loops!
[I 2023-06-04 16:32:02.647 JupyterHub app:3094] Not starting proxy
[I 2023-06-04 16:32:02.654 JupyterHub app:3130] Hub API listening on http://:8081/hub/
[I 2023-06-04 16:32:02.654 JupyterHub app:3132] Private Hub API connect url http://hub:8081/hub/
[I 2023-06-04 16:32:02.654 JupyterHub app:3141] Starting managed service jupyterhub-idle-culler
[I 2023-06-04 16:32:02.654 JupyterHub service:385] Starting service 'jupyterhub-idle-culler': ['python3', '-m', 'jupyterhub_idle_culler', '--url=http://localhost:8081/hub/api', '--timeout=43200', '--cull-every=600', '--concurrency=10', '--max-age=86400']
[I 2023-06-04 16:32:02.656 JupyterHub service:133] Spawning python3 -m jupyterhub_idle_culler --url=http://localhost:8081/hub/api --timeout=43200 --cull-every=600 --concurrency=10 --max-age=86400
[I 2023-06-04 16:32:02.662 JupyterHub app:3150] Adding external service dask-gateway at http://traefik-dask-dask-gateway.dask.svc.cluster.local
[I 2023-06-04 16:32:02.673 JupyterHub app:3141] Starting managed service gitrev at http://hub:10102
[I 2023-06-04 16:32:02.673 JupyterHub service:385] Starting service 'gitrev': ['/usr/local/bin/python', '/app/gmo/research/hub/gitrev.py']
INFO:__main__:service url http://hub:10102
INFO:__main__:instantiated http server
INFO:__main__:configured listener
INFO:tornado.access:200 GET /services/gitrev/ (10.15.40.35) 3.61ms
[I 2023-06-04 16:32:03.546 JupyterHub app:3150] Adding external service ssh_proxy
[I 2023-06-04 16:32:03.547 JupyterHub app:3150] Adding external service cronjobs
[I 2023-06-04 16:32:03.550 JupyterHub app:3199] JupyterHub is now running, internal Hub API at http://hub:8081/hub/
INFO:tornado.access:200 GET /services/gitrev/ (10.15.40.35) 0.94ms
[I 2023-06-04 16:33:47.323 JupyterHub GmoAzureAdAuthenticator:43] User: X has un-expired tokens
/usr/local/lib/python3.9/site-packages/jupyterhub/scopes.py:349: UserWarning: Not expanding !server filter without target server in access:servers!server
  expand_scopes(``

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[minrk]

The warning should definitely be clearer about what is being refused, since it's hard to see what action triggered the warning. My guess from the context in the logs that a token being issued by a service, though it could also be on users themselves, which also wouldn't work. Can you share your role/scope configuration? This scope on the server role makes sense, but is anything else assigned to the default server role?