Pluto.jl icon indicating copy to clipboard operation
Pluto.jl copied to clipboard

Published 20 hours ago • verified publisher icon fonsp

What you see is what you REST

Open ctrekker opened this issue 3 years ago • 7 comments

Watch the presentation!

https://www.youtube.com/watch?v=xsxJt4prFG4

Try it out!

julia> ]
pkg> activate --temp
pkg> add https://github.com/ctrekker/Pluto.jl#wysiwyr2
julia> import Pluto; Pluto.run()

ctrekker avatar Apr 02 '21 17:04 ctrekker

Awesome!

With this, one could build powerful micro-services with very little effort. Thinking about use cases e.g. in financial industry, it would be important to protect the notebooks, so that the user of the API cannot modify the notebook (i.e. the running microservice) itself. For this, the following features would be great in my opinion:

  1. The notebook should define which variables are modifyable with the API and which variables should be requestable. Possible syntax:
@listen a, b
@publish y, z

Variables not explicitly defined should not be accessible from the API. Maybe the default could be to listen / publish all variables, unless @listen / @publish is explicitly written in the notebook?

  1. It should be possible to allow users access of the API without allowing them to open the notebook itself. This could e.g. be archieved by using different secrets.

lungben avatar Apr 02 '21 18:04 lungben

Your first point makes a lot of sense! Not only would explicitly defining which variables users can change via the API (in production/deployment settings) enhance notebook protection, but it would also allow for further optimization since execution plans can be computed beforehand and only once.

For your second point, I was thinking about adding a configuration option which would allow users to run Pluto in an "API only" mode which would disable notebook editing and access features, restricting use to the API only. Perhaps this mode will also default to only serving "endpoints" defined by the @listen and @publish macros mentioned earlier and will otherwise fall back to serving all variables but give a warning message in the console about notebook security.

ctrekker avatar Apr 04 '21 17:04 ctrekker

Would it be possible to put the functionality for accessing the Pluto REST API (in file REST.jl, like PlutoNotebook) into a separate little package, e.g. called PlutoRESTClient? When it is in Pluto, you have to import the complete Pluto package in your client just to use the REST API access functions.

lungben avatar Jun 30 '21 09:06 lungben

@lungben It's definitely overkill to have to import all of Pluto, so putting it in a separate package that main Pluto would import inside PlutoRunner might work better. Perhaps the REST functions live in a different package, PlutoRESTClient.jl, and is exported from Pluto.jl as well?

ctrekker avatar Jun 30 '21 18:06 ctrekker

+1 for a seperate package, I'd like to use this as a workspace backend for CLI scripts etc. too, see also #1073

Roger-luo avatar Jun 30 '21 20:06 Roger-luo

The client functionality is now in a separate package https://github.com/JuliaPluto/PlutoRESTClient.jl. I haven't published it nor removed the client code from the PR yet though

ctrekker avatar Jul 01 '21 17:07 ctrekker

@ctrekker frontend tests are fixed on main!!! ✅✅✅

fonsp avatar Feb 15 '22 22:02 fonsp