voila icon indicating copy to clipboard operation
voila copied to clipboard

Published 20 hours ago verified publisher icon voila-dashboards

Add authentication for Voila before notebook is launched

Open tomnewg opened this issue 4 years ago • 7 comments

Hi guys,

I am running voila on a public heroku app and would love to put authentication before. I have seen a few threads here on this topic but none of the posts helped me to solve the issue.

Is there any update on this? Any document/post you can hint me to on how to put an auth handler before the notebook is launched.

Many thanks

Tom

tomnewg avatar Jun 26 '20 06:06 tomnewg

Thanks @tomnewg.

It sounds like the idea of the prelaunch hook in https://github.com/voila-dashboards/voila/pull/218 could help adding auth: https://github.com/voila-dashboards/voila/pull/218#issuecomment-545084194

jtpio avatar Jul 14 '20 12:07 jtpio

Hi @tomnewg, I'm not sure if this is the use case you are looking for (i.e. I'm not sure if the distinction of "authentication" vs "authorization" is important to you), but we have solved at least the "authentication" part by running our voila service on AWS ECS and placing it behind an AWS Cognito service that enforces Google OAuth. The server itself is public, but only company logins can access. Now, this doesn't even touch the voila server until the authentication itself succeeds, at which point it does forward information in the request to the voila server, which could in principle be used for fine-grained "authorization".

The PR referenced by @jtpio is definitely a way to go for this "authorization".

For the authentication piece, I'd be happy to try to boil down what we did into some documentation here that might help folks out. For us, this was a critical component of getting buy-in from management to use voila as our live BI-dashboard backend.

mgmarino avatar Jul 20 '20 14:07 mgmarino

Hi @mgmarino, thanks for your reply. Ideally, I am looking for both, but yes I am looking firstly for authentication and then authorization. I basically have two use cases.

  1. Deploy voila dashboards within a voila-gallery powered by tljh and would like to password protect the gallery ideally with the authentication that is already provided with the jupyterhub.
  2. Deploy voila dashboard on AWS or heroku and put some authentication beforehand -> really doesn't matter which one

Your solution sounds like to solve the latter right? Documentation for both cases would be extremely useful as I have seen a lot of people asking for this. I am also happy to help/support you in any way I can. Just hit me up.

tomnewg avatar Jul 20 '20 20:07 tomnewg

@mgmarino I am new to voila, I would like to containerize voila with an ipynb and serve up a URL from it. I am curious how you containerized voila with the notebook\ipynb file to offer up the URL. (may be missing the info in docs somewhere)

Is there a sample project using docker somewhere I can look at?

illinineverdie avatar Jan 11 '21 18:01 illinineverdie

@mgmarino I too am looking for both. We have a private VM open to the world that will be serving a voila instance behind a Flask app. I noticed that issue #576 had a similar use case to ours (our Flask app is running on a docker-compose cluster with reverse proxying from an nginx server and we will be deploying voila through a Jupyter NB server).

Any pointers would be most appreciated.

GregSilverman avatar Mar 27 '21 02:03 GregSilverman

I think we're at risk of going way off topic here, but I'm not sure where such information would best go? Let me at least give you some more details to our setup. We don't need/use nginx and you might find you could do without it, too. Our services are running on AWS.

Here are some important parts of our Stack, I'm going to use cloudformation resource names:

  • AWS::ElasticLoadBalancingV2::LoadBalancer
    • Internet facing, you would of course need an associated DNS entry (e.g. in Route53) to point to this with your desired domain name.
  • AWS::ElasticLoadBalancingV2::Listener
    • Listening on https (we have an automatic redirect from http to https to force https), with a certificate
    • Action list that includes forcing authentication via AWS Cognito. We use Google OAuth as our external provider, I won't go into any more details here.
    • Last action is forwarding to the application server running Voila
  • AWS::ElasticLoadBalancingV2::TargetGroup,AWS::ECS::Service,AWS::ECS::TaskDefinition
    • Our voila server is basically a docker container running on ECS (Fargate). We have actually customized it to perform user-based authorization, but I will not go into that here. All you need to know is that the voila server runs exposed on a port. This port is forwarded to from the load balancer. We store our docker container in the AWS ECR container repository.

The ELBV2 basically works out of the box. There's no special configuration for the websockets needed for voila to work, etc. We have some minor issues (e.g. when deploying a new version of the service), but this is out of scope here.

I've also added (a redacted) Cloudformation stack here. I hope that helps.

To the Voila maintainers, I'd be really happy to know where such info could best go. I think it'd be great to lower the bar to have more people using voila in production. In our experience, it is an extremely powerful piece of a great solution for professional, heavily customizable dashboards.

mgmarino avatar Mar 27 '21 12:03 mgmarino

Is there any documentation to add authentication by deploying Voila on AWS?

karan-samat avatar Jun 10 '21 19:06 karan-samat