Thanks Dan! I saw that GitHub post and was also puzzled as to how to achieve the same effect on AWS. Thanks for looking into this.
I will proceed with HTTPS in the meantime. Eventually, the goal is to embed ContainDS into our web portal; permitting our data scientists to develop dashboards for internal and external consumption.
Trying things out again, I seem to still have this issue with unbound PersistentVolumeClaims after replacing the suggested Dynamic Storage configuration settings (necessary for this to work, apparently):
type: dynamic
capacity: 10Gi
dynamic:
pvcNameTemplate: claim-{username}
volumeNameTemplate: volume-{username}
storageAccessModes: [ReadWriteMany]
I haven't found that much info on JupyterHub Groups, as far as I understand it though, there are two groups "admin", and non-admin. Or, rather, there is perhaps only one group "admin". Perhaps one could add a new group - "dashboard-users", whose users would only be allowed to list/launch already existing dashboards, and not a "normal" server. The UI would then reflect your group belonging, as it does with showing the "Admin" tab already.
However, for starters, I would be perfectly fine with some slightly hacky way to throw an error at the non-techies, if they disregard my instructions and actually click these "My Server".
What I'm thinking right now is to experiment with passing in the user name to the notebook server (Docker container), and then have a hook that checks a hard-coded allowed list of users, e.g. in /usr/local/bin/before-notebook.d
, and if not allowed, refuses to start, somehow... It won't be pretty, but might do for now.
I am following the issue with great interest, and I definitely think it could be a very useful feature for many.
Thank you so much for this project, it's going to improve my quality of life at work, immensely, I'm sure!
I was able to implement a hack to disallow "non-technical" users from launching anything but dashboard servers, by adding a script to /usr/local/bin/before-notebook.d/disallow-non-techies.sh like this:
#!/bin/bash
ALLOWED_NB_USERS=(AxelTLarsson)
function assert_allowed_user() {
if [[ ! " ${ALLOWED_NB_USERS[@]} " =~ " ${GITHUB_USER} " ]]; then
# whatever you want to do when array doesn't contain value
echo "${GITHUB_USER} is not allowed to start a normal notebook server"
exit 1
fi
}
if [ -z ${GITHUB_USER+x} ]; then
# If $GITHUB_USER is not set, we are attempting to start a voila (dashboard) server
# => go ahead
echo "Allowing dashboard start"
else
# If GITHUB_USER is not set, we are starting a normal notebook server, check if that is ok
assert_allowed_user
fi
It's not very pretty, and relies on the presence of $GITHUB_USER to determine if it's launching a normal server or a dashboard. So far, it seems to work alright, but I'm eagerly awaiting any development that will obviate this hack.