We have a forecast account on our systems which allows a team of users to sudo from
their personal accounts to the forecast account so that forecast systems have the same
file paths and whatnot regardless of which team member is running them.
The cylc8 gui however logs in through the jupyterhub and we don’t have anyway to sudo from
jupyterhub. How can we get to our forecast user from the cylc8 gui?
It works like this:
- The Hub needs sufficient system privileges to be able to start Cylc UI Servers on target user accounts.
- It does that via a
spawner. The default one spawns into local user accounts on the hub host, but there are others available for remote hosts too.
- When you authenticate at the hub, it spawns (or connects to) a UI Server on your own account.
- However, as an authenticated user, you can spawn (or connect to) other users’ UI Servers too, and then view or interact with their workflows if they have authorized you to do so.
- When you do this, your authenticated name will be logged against any (authorized) actions you perform on the other user’s workflows
This is brand new in Cylc 8. It works already as described above, but we have yet to:
- expose it simply via the UI
- complete the documentation
- fully test remote access it on various platform configurations
For the moment:
- after authenticating at the hub, you have to manually alter the URL to point to the other user
- you can connect to another user’s UI Server if it is already running, but the hub won’t spawn it for you unless you are a hub “admin” user
The documentation is here, in the latest user guide: Authorizing Others to Access Your Workflows — Cylc 8.0rc2 documentation
- there’s a known error in config file paths (
- we still need to flesh out some detail
For the setup you describe, for the moment I think options are:
- attempt to get the full solution working as described above, perhaps with help via this forum
- you might be able to run a hub on the forecast account itself, so that all allowed users can authenticate as themselves but can only spawn UI Servers on the forecast account
- this requires the forecast user to be able to access the authenticator (by default PAM)
- (it shouldn’t be a problem that the authenticated user can’t start a UIS on their own account via the forecast hub, but I haven’t checked that)
- or go hubless: users can sudo to the forecast account as usual, then run
cylc gui instead of
- this of course bypasses the nice authorization system as everything will be running as the forecast user (but that’s presumably what you’ve had thus far).