Problem setting up sharing servers

Hi all, I have been configuring a cylc server that will be available for all users @ Mercator. It has a centralized installation of cylc (à la ECMWF) and global configuration for the most populare remote hosts.
I have installed cylc hub. I am using the ldap extension for authentication and sudospawner.
I would like users to be able to at least start and see other users’ cylc servers. That’s where I am now dead in the water. I have followed the information both in cylc’s documentation and also JupyterHub’s doco but I still can’t get the sharing to work.
I can start another user’s server, after which I get another page that asks me to authorize:

Access user servers via API or browser. Applies to server .

but the I get the error:

You do not have permission to access this server

and this is what shows up in the log:

[I 2026-06-12 14:03:15.483 CylcHubApp log:192] 302 GET /user/sparonuzzi/oauth_callback?code=[secret]&state=[secret] -> /user/sparonuzzi/cylc/?redirects=1 (@127.0.0.1) 37.48ms
[I 2026-06-12 14:03:16.288 CylcUIServer] User gturek authorized permissions: []

And I have

c.CylcUIServer.user_authorization = {
    '*': ['READ'],
}

in jupyter_config.py

Any ideas?
Thanx!
Gaby

Hi Gaby,

Maybe you haven’t delegated permissions to users at site level.

Did you find the reference documentation on Authorizing Others To Access Your Workflows?

Basically in the site (central) config /etc/cylc/uiserver/jupyter_config.py you need to:

  1. tell JupyterHub that authenticated users can start and stop each others’ UI Servers, with c.JupyterHub.load_roles
  2. delegate permission to users to authorize other authenticated users to read or operate on their workflows, with c.CylcUIServer.user_authorization

And, for then each user who needs this, in their user config file, ~/.cylc/uiserver/jupyter_config.py

  1. authorize access by other authenticated users (all users, or specific users, or groups), with c.CylcUIServer.user_authorization c.CylcUIServer.site_authorization

There are examples that should work out of the box in the referenced doc page.

Let us know if it still doesn’t work when/if you have done the above.

Hilary

p.s. Also let us know if you think the docs aren’t clear enough or miss anything important.

Hi Hilary, thanx for your reply. Believe me

  1. I’ve got c.JupyterHub.load_roles in /etc/cylc/uiserver/jupyterhub_config.py (it works there as well as if in /etc/cylc/uiserver/jupyter_config.py) as in the documentation.
  2. I’ve got c.CylcUIServer.user_authorization /etc/cylc/uiserver/jupyter_config.py and
  3. In ~sparonuzzi/.cylc/uiserver/jupyter_config.py (Stella’s account)

It doesn’t work. Tried a specifing the user rather than “*” in c.CylcUIServer.user_authorization, but didn’t make any difference.
Here’s something interesting: I took a peak into the jupyterhub.sqlite database. I was expecting that the “user” entry in the roles table would be modified by the c.JupyterHub.load_roles entry in the config file, but it was not.
I am stumped
Gaby

The jupyter_config.py config

c.CylcUIServer.user_authorization = {
    '*': ['READ'],
}

is for allowing others read access to your UI server. But it sounds like you are trying to access another user’s server, so they need to set that config themselves.

Hi @MetRonnie, yes, they (sparonuzzi) have set that. We’ve tried every imaginable configuration.

Additionally @hilary.j.oliver the instructions you have in the cylc doco do not jive with those
on the JupyterHub’s Sharing access to user servers — JupyterHub documentation
I’ve checked the versions and cylc’s is 5.4.6 while the latest is 5.5.0, so I would not expect much variation on the config

Ah it might be that you need to set

# /etc/cylc/uiserver/jupyter_config.py

c.CylcUIServer.site_authorization = {
    "*": {  # For all ui-server owners,
        "*": {  # Any authenticated user
            "default": "READ",  # Will have default read-only access
        },
    },
}

(You can change "default" to "limit" if you don’t want users to have read access given away by default)

See this section in Authorizing Others to Access Your Workflows — Cylc 8.6.3 documentation

I guess it isn’t very clear and should be mentioned earlier up on that page.

Thanx @MetRonnie that actually did the trick, well almost… I can now start and view another user’s server, but they cannot see mine, even though I also have set up my jupyter_config.py granting all users read permission. Hum…

Scratch that. I think the reason why I can see the other user’s server is because I have admin role. If I remove that, then I cannot.
But before I added the site_authorization bit, I couldn’t see other’s servers even though I was admin. So it did do something

1 Like

I made an unfortunate typo in my point (2) above, sorry @gturek - that was meant to point at what @MetRonnie suggested (site, not user authorization). [corrected now]

Anyhow, I think we need to check if the first part of that documentation page is misleading or incomplete …

You should not need full admin status, just the right to access and start and stop others’ servers, as described in Cylc: JuypterHub Authorization.

Nope @hilary.j.oliver , sorry it just doesn’t work :frowning: even after making the changes as per your last message:

In fact now, if sparonuzzi tries to see my (gturek) server she gets:


404 : Not Found

Jupyter has lots of moons, but this is not one...

And If I try to access hers I no longer can:

You do not have permission to access this server

BTW I find the section Jupyter Server Authorisation in the cylc documentation a bit confusing.

The documentations states that I can skip the section if “” have not overridden the c.JupyterHub.spawner_class (in JupyterHub)) “” which I have since I am using SudoSpawner rather than the default LocalProcessSpawner

The default installation comes with
c.ServerApp.authorizer_class = CylcAuthorizer
in jupyter_config.py , so initially I left it there.

So do I have to write my own authorizer for my specific set up?
(I also tried commenting the authorizer_class entry, but no difference, lol)

Gaby

Hi @gturek

It might help to set this up first on a simple Linux box, where you have root, to experiment with how things are supposed to work?

I just did this myself to check my own understanding, on my box with root and two normal user accounts.

Here’s a minimal setup, with central config only, that gives all users read-only access to others:

  • no jupyter_config.py in either user account
  • cylc hub runs as root
  • the only jupyter config is /etc/cylc/uiserver/jupyter_config.py as follows:
# Allow any user to access the hub.
c.Authenticator.allow_all = True

# Allow all authenticated users to access, start and stop each others' servers
c.JupyterHub.load_roles = [
     {
         "name": "user",
         "scopes": ["self", "access:servers", "servers"],
     }
]

# Give read access to others by default, for all users.
c.CylcUIServer.site_authorization = {
    "*": {  # For all ui-server owners,
        "*": {  # Any authenticated user
             "default": ["READ"],  # Will have this default access
         },
    },
}

I agree that initial heading section could be clearer.

I think it just means you do not need to configure c.ServerApp.authorizer_class = CylcAuthorizer so long as you’re starting Jupyter Hub via the cylc hub command, which automatically does that.

If instead you need to use Cylc via vanilla JupyterHub, then you need to configure the hub yourself to spawn Cylc “hub app” (UI Server) and use the Cylc authorizer.

I would suggest start with cylc hub to eliminate one source of potential configuration errors.

To go one step further, I can use site authorization to allow users to give greater access to others (if no limit is defined, the default is the limit, as the docs say):

# /etc/cylc/uiserver/jupyter_config.py

c.CylcUIServer.site_authorization = {
    "*": {  # For all ui-server owners,
        "*": {  # Any authenticated user
             "default": ["READ"],  # Will have this default access
             "limit": ["ALL"],  # Max access users can allow
         },
    },
}

Then, in one user config (~hrevilo) I can allow the other user (~oliverh) to manually retrigger tasks as well as READ, like this:

# /home/hrevilo/.cylc/uiserver/jupyter_config.py

c.CylcUIServer.user_authorization = {
    "oliverh": ["READ", "trigger"],
}

Now if I authenticate at the hub as oliverh and go to hrevilo’s server, I can read their workflows and trigger tasks in them (the Trigger command specifically is not greyed out in the UI task menu).

But if I authenticate at the hub as hrevilo, I can only read oliverh’s workflows.

The first part of the docs seem to suggest that cylc.CylcUIServer.user_authorization in the central config is enough to allow cross-user access without setting site_authorization but I don’t think that’s true (from a quick experiment here) … if so we’ll clarify that.

Ngā mihi nui ki a koe @hilary.j.oliver ! I got it to work following your steps :index_pointing_up: and restarting with “clean” config files.

1 Like

No, I can vouch for this, the user_authorization in the central config file does not do anything. From an admin pov it would be handy. But the choice to share should be left up to the user.

The user_authorization configures authorisation for the user who’s server it is configuring.

I.e, if you set this in the “central” configuration, then you are configuring authorisation for workflows belonging to the user account that you run the cylc hub under.

If you want to grant default permissions for all users, use the site_authorisation configuring the default setting.

1 Like