Hi all, I have been configuring a cylc server that will be available for all users @ Mercator. It has a centralized installation of cylc (à la ECMWF) and global configuration for the most populare remote hosts.
I have installed cylc hub. I am using the ldap extension for authentication and sudospawner.
I would like users to be able to at least start and see other users’ cylc servers. That’s where I am now dead in the water. I have followed the information both in cylc’s documentation and also JupyterHub’s doco but I still can’t get the sharing to work.
I can start another user’s server, after which I get another page that asks me to authorize:
Access user servers via API or browser. Applies to server .
Basically in the site (central) config /etc/cylc/uiserver/jupyter_config.py you need to:
tell JupyterHub that authenticated users can start and stop each others’ UI Servers, with c.JupyterHub.load_roles
delegate permission to users to authorize other authenticated users to read or operate on their workflows, with c.CylcUIServer.user_authorization
And, for then each user who needs this, in their user config file, ~/.cylc/uiserver/jupyter_config.py
authorize access by other authenticated users (all users, or specific users, or groups), with c.CylcUIServer.user_authorizationc.CylcUIServer.site_authorization
There are examples that should work out of the box in the referenced doc page.
Let us know if it still doesn’t work when/if you have done the above.
Hilary
p.s. Also let us know if you think the docs aren’t clear enough or miss anything important.
I’ve got c.JupyterHub.load_roles in /etc/cylc/uiserver/jupyterhub_config.py (it works there as well as if in /etc/cylc/uiserver/jupyter_config.py) as in the documentation.
I’ve got c.CylcUIServer.user_authorization/etc/cylc/uiserver/jupyter_config.py and
In ~sparonuzzi/.cylc/uiserver/jupyter_config.py (Stella’s account)
It doesn’t work. Tried a specifing the user rather than “*” in c.CylcUIServer.user_authorization, but didn’t make any difference.
Here’s something interesting: I took a peak into the jupyterhub.sqlite database. I was expecting that the “user” entry in the roles table would be modified by the c.JupyterHub.load_roles entry in the config file, but it was not.
I am stumped
Gaby
is for allowing others read access to your UI server. But it sounds like you are trying to access another user’s server, so they need to set that config themselves.
Hi @MetRonnie, yes, they (sparonuzzi) have set that. We’ve tried every imaginable configuration.
Additionally @hilary.j.oliver the instructions you have in the cylc doco do not jive with those
on the JupyterHub’s Sharing access to user servers — JupyterHub documentation
I’ve checked the versions and cylc’s is 5.4.6 while the latest is 5.5.0, so I would not expect much variation on the config
# /etc/cylc/uiserver/jupyter_config.py
c.CylcUIServer.site_authorization = {
"*": { # For all ui-server owners,
"*": { # Any authenticated user
"default": "READ", # Will have default read-only access
},
},
}
(You can change "default" to "limit" if you don’t want users to have read access given away by default)
Thanx @MetRonnie that actually did the trick, well almost… I can now start and view another user’s server, but they cannot see mine, even though I also have set up my jupyter_config.py granting all users read permission. Hum…
Scratch that. I think the reason why I can see the other user’s server is because I have admin role. If I remove that, then I cannot.
But before I added the site_authorization bit, I couldn’t see other’s servers even though I was admin. So it did do something
I made an unfortunate typo in my point (2) above, sorry @gturek - that was meant to point at what @MetRonnie suggested (site, not user authorization). [corrected now]
Anyhow, I think we need to check if the first part of that documentation page is misleading or incomplete …
You should not need full admin status, just the right to access and start and stop others’ servers, as described in Cylc: JuypterHub Authorization.
BTW I find the section Jupyter Server Authorisation in the cylc documentation a bit confusing.
The documentations states that I can skip the section if “” have not overridden the c.JupyterHub.spawner_class (in JupyterHub)) “” which I have since I am using SudoSpawner rather than the default LocalProcessSpawner
The default installation comes with c.ServerApp.authorizer_class = CylcAuthorizer
in jupyter_config.py , so initially I left it there.
So do I have to write my own authorizer for my specific set up?
(I also tried commenting the authorizer_class entry, but no difference, lol)
It might help to set this up first on a simple Linux box, where you have root, to experiment with how things are supposed to work?
I just did this myself to check my own understanding, on my box with root and two normal user accounts.
Here’s a minimal setup, with central config only, that gives all users read-only access to others:
no jupyter_config.py in either user account
cylc hub runs as root
the only jupyter config is /etc/cylc/uiserver/jupyter_config.py as follows:
# Allow any user to access the hub.
c.Authenticator.allow_all = True
# Allow all authenticated users to access, start and stop each others' servers
c.JupyterHub.load_roles = [
{
"name": "user",
"scopes": ["self", "access:servers", "servers"],
}
]
# Give read access to others by default, for all users.
c.CylcUIServer.site_authorization = {
"*": { # For all ui-server owners,
"*": { # Any authenticated user
"default": ["READ"], # Will have this default access
},
},
}
I agree that initial heading section could be clearer.
I think it just means you do not need to configure c.ServerApp.authorizer_class = CylcAuthorizer so long as you’re starting Jupyter Hub via the cylc hub command, which automatically does that.
If instead you need to use Cylc via vanilla JupyterHub, then you need to configure the hub yourself to spawn Cylc “hub app” (UI Server) and use the Cylc authorizer.
I would suggest start with cylc hub to eliminate one source of potential configuration errors.
To go one step further, I can use site authorization to allow users to give greater access to others (if no limit is defined, the default is the limit, as the docs say):
# /etc/cylc/uiserver/jupyter_config.py
c.CylcUIServer.site_authorization = {
"*": { # For all ui-server owners,
"*": { # Any authenticated user
"default": ["READ"], # Will have this default access
"limit": ["ALL"], # Max access users can allow
},
},
}
Then, in one user config (~hrevilo) I can allow the other user (~oliverh) to manually retrigger tasks as well as READ, like this:
Now if I authenticate at the hub as oliverh and go to hrevilo’s server, I can read their workflows and trigger tasks in them (the Trigger command specifically is not greyed out in the UI task menu).
But if I authenticate at the hub as hrevilo, I can only read oliverh’s workflows.
The first part of the docs seem to suggest that cylc.CylcUIServer.user_authorization in the central config is enough to allow cross-user access without setting site_authorization but I don’t think that’s true (from a quick experiment here) … if so we’ll clarify that.
No, I can vouch for this, the user_authorization in the central config file does not do anything. From an admin pov it would be handy. But the choice to share should be left up to the user.
The user_authorization configures authorisation for the user who’s server it is configuring.
I.e, if you set this in the “central” configuration, then you are configuring authorisation for workflows belonging to the user account that you run the cylc hub under.
If you want to grant default permissions for all users, use the site_authorisation configuring the default setting.