fix(jupyterhub): fix vault policy

jupyterhub/justfile

@@ -6,7 +6,7 @@ export JUPYTERHUB_CHART_VERSION := env("JUPYTERHUB_CHART_VERSION", "4.2.0")
 export JUPYTERHUB_OIDC_CLIENT_ID := env("JUPYTERHUB_OIDC_CLIENT_ID", "jupyterhub")
 export JUPYTERHUB_ENABLE_NFS_PV := env("JUPYTERHUB_ENABLE_NFS_PV", "")
 export JUPYTERHUB_VAULT_INTEGRATION_ENABLED := env("JUPYTERHUB_VAULT_INTEGRATION_ENABLED", "false")
-export JUPYTER_PYTHON_KERNEL_TAG := env("JUPYTER_PYTHON_KERNEL_TAG", "python-3.12-3")
+export JUPYTER_PYTHON_KERNEL_TAG := env("JUPYTER_PYTHON_KERNEL_TAG", "python-3.12-4")
 export KERNEL_IMAGE_BUUN_STACK_REPOSITORY := env("KERNEL_IMAGE_BUUN_STACK_REPOSITORY", "buun-stack-notebook")
 export KERNEL_IMAGE_BUUN_STACK_CUDA_REPOSITORY := env("KERNEL_IMAGE_BUUN_STACK_CUDA_REPOSITORY", "buun-stack-cuda-notebook")
 export JUPYTER_PROFILE_MINIMAL_ENABLED := env("JUPYTER_PROFILE_MINIMAL_ENABLED", "false")

jupyterhub/vault-policy.hcl

@@ -5,6 +5,11 @@ path "secret/data/jupyter/shared/*" {
     capabilities = ["read", "list"]
 }
 
+# Allow users to list shared directory
+path "secret/metadata/jupyter/shared" {
+    capabilities = ["list"]
+}
+
 # Full access to user-specific paths
 path "secret/data/jupyter/users/{{identity.entity.aliases.auth_jwt_*.metadata.username}}/*" {
     capabilities = ["create", "update", "read", "delete", "list"]
@@ -15,7 +20,7 @@ path "secret/metadata/jupyter/users/{{identity.entity.aliases.auth_jwt_*.metadat
     capabilities = ["list", "read", "delete"]
 }
 
-# Allow users to list jupyter root to navigate
-path "secret/metadata/jupyter/*" {
+# Allow users to list only their own user directory for navigation
+path "secret/metadata/jupyter/users/{{identity.entity.aliases.auth_jwt_*.metadata.username}}" {
     capabilities = ["list"]
 }