cylc-uiserver
cylc-uiserver copied to clipboard
cylc
authorisation: integrate with jupyter_server auth
Cylc uses its own authorisation system to govern what users can and can't do in multi-user setups.
Since we added this functionality, Jupyter Server has now developed their own approach. They don't provide a configuration like we do, instead they give you the option to define your own authorisation function, but it's essentially the same deal.
To impose our own authorisation system, we effectively side-step Jupyter Server's user controls which is fine, but now that there is an interface to bind our logic into, it would be much nicer to use it rather than defining our own.
This would involve replacing our decorators with theirs and probably defining a default authorisation class in the default Cylc config. This would avoid sites needing to define their own authorisation policy for Jupyter Lab but leave them the option to override it.
Example authenticator config:
from getpass import getuser
from jupyter_server.auth import Authorizer
from cylc.uiserver.auth import authorise
ME = getuser()
class DefaultAuthorizer(Authorizer):
"""Configure authorization for Jupyter Server handlers."""
def is_authorized(self, handler, user, action, resource):
if resource == 'cylc':
# defer to Cylc authorisation for Cylc endpoints
return authorise(user, action)
if user.username == ME:
# restrict other server extensions (e.g. Jupyter Lab) to the owner only
return True
return False
c.ServerApp.authorizer_class = DefaultAuthorizer
