Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Dan Lester
    @danlester
    And then how to reshape the JupyterHub UI for these non-technical users so that, for example, ideally they don't see a 'My Server' or 'New Dashboard' button at all, and only get to see the list of dashboards.
    Some of this functionality would sit in JupyterHub itself ideally, but doesn't really make sense to the core JupyterHub project...
    Anyway, this is something I want to work on. All ideas and feedback welcome!
    I have created an issue to track ideonate/cdsdashboards#37
    Axel Larsson
    @AxelTLarsson

    I haven't found that much info on JupyterHub Groups, as far as I understand it though, there are two groups "admin", and non-admin. Or, rather, there is perhaps only one group "admin". Perhaps one could add a new group - "dashboard-users", whose users would only be allowed to list/launch already existing dashboards, and not a "normal" server. The UI would then reflect your group belonging, as it does with showing the "Admin" tab already.
    However, for starters, I would be perfectly fine with some slightly hacky way to throw an error at the non-techies, if they disregard my instructions and actually click these "My Server".
    What I'm thinking right now is to experiment with passing in the user name to the notebook server (Docker container), and then have a hook that checks a hard-coded allowed list of users, e.g. in /usr/local/bin/before-notebook.d, and if not allowed, refuses to start, somehow... It won't be pretty, but might do for now.

    I am following the issue with great interest, and I definitely think it could be a very useful feature for many.

    Dan Lester
    @danlester
    Actually 'admin' is just a flag that is assigned to each user (True/False). Groups are a fairly generic JupyterHub concept, but aren't really used anywhere... (other than in ContainDS to control access to Dashboards)
    Without changing JupyterHub core, the UI change might be easy enough, but then ideally would also be reinforced with something like you've suggested if they do attempt to use the API to start a server anyway.
    Sid Feygin
    @sfwatergit
    Groups would be essential for our use case as well, which I think is somewhat different from the above. Basically, we will have internal data scientists who are dashboard creators and external users (clients) who will be consuming the dashboards and not permitted to run code. Ideally, authorization to view dashboards could be assigned on a per-group basis and be well-integrated with our JupyterHub-compatible OAuth provider of choice (AWS Cognito). I can definitely make more progress towards this end once ideonate/cdsdashboards#37 is resolved and jupyterhub/jupyterhub#3133) is merged. Any other significant challenges to implementing this solution that would require changes to either containds or JupyterHub? Happy to help out if so.
    Victor Tolpegin
    @DarkmatterVale
    I'd love to see groups integrated with dashboards as well. I've loved using the dashboards feature thus far, and I know that integrating groups would provide us additional value (both in dashboards, and in jupyter overall)
    Dan Lester
    @danlester
    Thanks all. I think @sfwatergit and @AxelTLarsson would benefit from the same kind of approach, maybe needing some customization as well. @DarkmatterVale thank you for your encouragement too!
    I will work on something based on JupyterHub groups that at least gives a reasonable UI and passes something to spawners or servers so they know if that user should be allowed to spawn or not.
    Victor Tolpegin
    @DarkmatterVale
    Thank you! And thanks for all of your work building out the dashboards feature. It's awesome!
    Dan Lester
    @danlester
    @DarkmatterVale Great to hear you like it!
    Axel Larsson
    @AxelTLarsson

    Thank you so much for this project, it's going to improve my quality of life at work, immensely, I'm sure!
    I was able to implement a hack to disallow "non-technical" users from launching anything but dashboard servers, by adding a script to /usr/local/bin/before-notebook.d/disallow-non-techies.sh like this:

    #!/bin/bash

ALLOWED_NB_USERS=(AxelTLarsson)

function assert_allowed_user() {
    if [[ ! " ${ALLOWED_NB_USERS[@]} " =~ " ${GITHUB_USER} " ]]; then
        # whatever you want to do when array doesn't contain value
        echo "${GITHUB_USER} is not allowed to start a normal notebook server"
        exit 1
    fi
}

if [ -z ${GITHUB_USER+x} ]; then
    # If $GITHUB_USER is not set, we are attempting to start a voila (dashboard) server
    # => go ahead
    echo "Allowing dashboard start"
else
    # If GITHUB_USER is not set, we are starting a normal notebook server, check if that is ok
    assert_allowed_user
fi

    It's not very pretty, and relies on the presence of $GITHUB_USER to determine if it's launching a normal server or a dashboard. So far, it seems to work alright, but I'm eagerly awaiting any development that will obviate this hack.

    Dan Lester
    @danlester
    @AxelTLarsson thank you for your kind words, and for sharing this solution. I have made some interesting experimental commits to master if anyone wants to take a look.

    In your config add:
    c.CDSDashboardsConfig.spawn_allow_group = 'spawners-group'
    (or whatever named group you want, it will be created if it doesn't exist)
    this group will be the only people allowed to spawn servers or create dashboards.

    Alternatively use:
    c.CDSDashboardsConfig.spawn_block_group = 'viewers-group'
    to specify a list of users who should only be viewers - useful if most new users are developers.

    Dan Lester
    @danlester
    This roughly restricts the UI so they can't do any spawning or dashboard creation, except to do this there is now a custom /hub/home-cds page instead of /hub/home.
    If they go to /home directly (or /hub/spawn/dan for that matter) then they can attempt to start a server but it will throw an error straight away.
    I have also added a basic Group management UI to make it easier to add/remove users from the groups. In @sfwatergit 's case, we would also want to sync to the group inside the Authenticator (much is it gets admin status at the moment) - let's take a look.
    Axel Larsson
    @AxelTLarsson
    Wow, very nice @danlester! I just tried it out and it works very well. It does seem that I have to explicitly add people to the dashboard group that is created if I create a new dashboard though - simply choosing "all users" doesn't seem to work afaict. It is a minor thing, so it's not stopping me from using it, but it would of course be nice if that could be fixed at some point.
    Dan Lester
    @danlester
    @AxelTLarsson Great to hear it works well so far! It was only a first attempt really. I can't reproduce the permissions problem though. The named per-dashboard group (e.g. dash-test) should only be relevant when 'Selected Users' is chosen. Group membership can be changed either on the dashboard edit page (unless All Users is chosen) or on the new Group page (for admins). But the group shouldn't have any bearing on access when All Users is chosen.
    It's possible that cookies are confused, especially if testing by logging in/out on the same browser. Please could you try again, and maybe spell out steps if you still think there is a fundamental problem (e.g. did user exist when dashboard was started?)
    But in any case I need to take a look at how JupyterHub handles cookies on logout
    Dan Lester
    @danlester
    BTW in a commit just now I moved Groups menu item into the top of the Admin page. So click Admin to be able to get to it.
    Axel Larsson
    @AxelTLarsson
    Yeah, actually, I can't reproduce the issue now, and definitely the cookies could have some effect, because I tested with my own user, adding/removing it from the spawners-group. Makes sense to have the group functionality under Admin!
    Dan Lester
    @danlester
    Great, let me know any other problems and/or feedback etc.
    Sid Feygin
    @sfwatergit
    @danlester Thanks for the rapid implementation on a group management ui! I see the commits you've added, but I'm unsure how to deploy this on k8s, since it's not yet tagged with a versioned release.
    Dan Lester
    @danlester
    Good question @sfwatergit. The jupyterhub image is built for every commit, for example cdsdashboards commit b5a2950 ends up on Docker hub tagged as ideonate/cdsdashboards-jupyter-k8s-hub:sha-b5a2950
    However, there may not be a corresponding singleuser image, but in this case the latest singleuser images should work fine anyway.
    It would be great if you can try out the new functionality, but of course it's experimental. Feedback is essential!
    Sid Feygin
    @sfwatergit
    @danlester : I've been able to try out the groups management ui, but I'm not exactly sure what it is meant to accomplish. When I click on the manage_groups link, I get a list of all servers and can add or remove users from the servers.
    7 replies
    Victor Tolpegin
    @DarkmatterVale

    Hey all, I'm really enjoying using dashboards. But I've recently run into an issue...When I start a dashboard, then stop the server, and finally restart the server, I sometimes get the following error:

    ERROR:tornado.application:Uncaught exception GET /user/****/dash-testsds/ (****)
HTTPServerRequest(protocol='http', host='****:8888', method='GET', uri='/user/****/dash-testsds/', version='HTTP/1.1', remote_ip='****')
Traceback (most recent call last):
  File "/opt/amazon/lib/python3.7/site-packages/tornado/web.py", line 1592, in _execute
    result = yield result
  File "/opt/amazon/lib/python3.7/site-packages/tornado/gen.py", line 1133, in run
    value = future.result()
  File "/usr/local/lib/python3.7/site-packages/jhsingle_native_proxy/websocket.py", line 103, in get
    return await self.http_get(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 718, in http_get
    return await self.proxy(self.port, path)
  File "/usr/local/lib/python3.7/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 712, in proxy
    return await self.oauth_proxy(port, path)
TypeError: object NoneType can't be used in 'await' expression

    Any thoughts why this is happening?

    10 replies
    If I restart the server again (after seeing this error), it sometimes fixes itself and I can use it again
    Sid Feygin
    @sfwatergit

    Hi! I've found that when I use rather memory-intensive widgets with voila, I get failed page loads (timeout from Tornado). I found the following error in my logs when this happens:

    ERROR:asyncio:Task exception was never retrieved
future: <Task finished name='Task-33' coro=<SuperviseAndProxyHandler.ensure_process.<locals>.pipe_output() done, defined at /opt/conda/lib/python3.8/site-packages/jhsingle_native_proxy/proxyhandlers.py:645> exception=ValueError('Separator is found, but chunk is longer than limit')>
Traceback (most recent call last):
  File "/opt/conda/lib/python3.8/asyncio/streams.py", line 540, in readline
    line = await self.readuntil(sep)
  File "/opt/conda/lib/python3.8/asyncio/streams.py", line 635, in readuntil
    raise exceptions.LimitOverrunError(
asyncio.exceptions.LimitOverrunError: Separator is found, but chunk is longer than limit

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/conda/lib/python3.8/site-packages/jhsingle_native_proxy/proxyhandlers.py", line 650, in pipe_output
    line = await stream.readline()
  File "/opt/conda/lib/python3.8/asyncio/streams.py", line 549, in readline
    raise ValueError(e.args[0])
ValueError: Separator is found, but chunk is longer than limit

    Any ideas on this?

    Dan Lester
    @danlester
    Thanks @sfwatergit - would it be possible to produce a minimal Voila script to simulate this so I can try it out? Or at least some idea of the operations that are in progress when this happens? If a GitHub issue or email is better to share this, please feel free!
    13 replies