Allow unprivileged users to start an interactive session #857
Comments
Thanks @lorenzo-cavazzi. Any chance that this issue could be tackled and opened a "do not yet merge" PR for this today? This would make the testing of the backend part for this easier because one could simply use the UI to generate the relevant API calls. |
|
sure, I can work on that later (after lunch), it shouldn't take long |
|
@ableuler I made a quick draft PR, with a preview available here: https://lorenzotest.dev.renku.ch (the UI images is Keep in mind that currently, if you don't log in, any call to |
That's exactly what I needed! Thanks! |
|
@lorenzo-cavazzi I'm modifying the notebook service to prevent the 401 responses and I think I'm getting there. However, the call to the gitlab Generally it's really annoying, that |
|
It makes sense that unauthorized users can't access pipelines/jobs. Maybe here we can use another strategy similar to what @rokroskar implemented on |
|
I confirm this approach works for anonymous users too 🎉 This approach is simpler but I would still keep the pipeline/job info for DEV+ users since it helps in debugging what went wrong when the image is not building by pointing you to the relevant job. If it's enough for you, I will just disable the pipeline/jobs calls since it's super quick, but we now know how to properly fix this later 🙂 |
yes, that's perfect! |
That's really great news. In the API docs they explicitly say otherwise, but that will save us quite some work. Thanks for checking @lorenzo-cavazzi! 🎉 |
|
@lorenzo-cavazzi Do you want to implement the discussed changes (query registry API instead of jobs API to determine image availability) within the scope of this Issue/PR or should I create a new separate issue for it and mark it as a dependency for this issue? |
|
No it's fine, I would address all in this issue/PR. I was postponing working on this until I can deploy a beta version of the backend in my environment, otherwise it's a bit annoying (and error-prone) faking the API responses |
Yes, I understand. Would it be ok for you to develop this against the running deployment at https://andreas.dev.renku.ch ? I have everything running now but deploying it is still not as streamlined as it should be. Feel free to swap out the UI of my running deployment or telepresence into it. |
Users can start an environment in any public or internal project without having developer permission. In that case, they still get a warning and a suggestion on how to proceed if they want to save their work. re #857
Users can start an environment in any public or internal project without having developer permission. In that case, they still get a warning and a suggestion on how to proceed if they want to save their work. re #857
Anonymous users can start an environment. They will get a temporary identity and they will see warnings suggesting to log in. BREAKING CHANGE: Requires backend components supporting anonymous users environments fix #857
|
For a future iteration on this: would it be possible to have "binder-like" experience of sending someone a link that drops them directly into a running session? Maybe they would still have to click a button to actually trigger the launch, but it would be nice if they didn't have to navigate anywhere. @lorenzo-cavazzi started discussing something along these lines already - maybe we should have a design meeting where we can hash out how to streamline the launch experience? |
I think it can even be done without any button click. IMO there's nothing wrong with a browser page which translates some request parameters into the body of a POST request. Also the immediate redirection to the launched instance should be ok now that Jupyterhub has improved their handling of starting sessions. |
Users can start an environment in any public or internal project without having developer permission. In that case, they still get a warning and a suggestion on how to proceed if they want to save their work. re #857
Anonymous users can start an environment. They will get a temporary identity and they will see warnings suggesting to log in. BREAKING CHANGE: Requires backend components supporting anonymous users environments fix #857
Users can start an environment in any public or internal project without having developer permission. In that case, they still get a warning and a suggestion on how to proceed if they want to save their work. re #857
Anonymous users can start an environment. They will get a temporary identity and they will see warnings suggesting to log in. BREAKING CHANGE: Requires backend components supporting anonymous users environments fix #857
The UI should allow a user to start an interactive session, even if that user does not have write access to the repo or is not logged in at all. The UI should warn the user that she or he might loose some data.
Update (2020-04-01):
After some work on the backend and some discussion below we have a clearer picture about the necessary changes on the UI side to enable this feature:
/api/notebooks/..., do not trigger the normal login cycle. Instead send the browser to/api/auth/jupyterhub/login-tmp?redirect-url=<current-path-or-full-url (url-encoded)>. This will trigger a login cycle with the Jupyterhub instance which manages the temporary user sessions and then redirect to the desired UI page..Values.global.anonymousSessions.enable: true. Otherwise that login attempt will fail..Values.global.anonymousSessions.enableshould be translated into an env variable and written intoconfig.jsonwhich then UI can then use to determine if anonymous sessions are activated or not.The text was updated successfully, but these errors were encountered: