jLab: you need to be logged in

[esraneufeld]

in view of the conclusion of the public jupyterlab and cybersecurity working group, let's prevent anonymous users from accessing studies with an editable jupyterlab in it. they should instead see a message saying that they need to be logged in to access this study.

[elisabettai]

I think it's becoming quite urgent. We'll need to make some templates containing jupyterlabs public, e.g.:

• The Codeathon 2022 studies will have a link on the SPARC Portal
• The ASCENT Studies for the Grill Lab

To achieve that, I think we need the following backend modifications:

• 1. Change the message and add an image that is displayed when a template is not published, right now it looks like:
  
• 2. Make sure that we can share the link to a template and that when the link is accessed then a copy (=a new study) is created.
  related case Link to share templates #806

Might be worth considering as well (maybe as part of another case): can we extend the disabling internet access feature to JupyterLabs (=i.e. all services that have a terminal)? @GitHK

fyi, @sanderegg, new SM.

[esraneufeld]

i am not sure that i understand the above. did we not conclude that we start by preventing anonymous users from accessing pipelines containing such services, but people with login would be accepted?

[elisabettai]

Yes, @esraneufeld, what you said it is what we are going to do, i.e. users that don't have an account and try to access a pipeline that has jupyterlabs will receive a clear and nice message that asks them to create an account.

[elisabettai]

Just had a brainstorming session with @pcrespov: there's a small piece of development needed for this one.

Basically we need a way to mark certain templates (in the database?) as being openable by guests or not. Let me know @pcrespov it that's not clear.

[esraneufeld]

hi, can i ask: why is this about a certain template and not about the presence of a certain service in the template/study? all the best esra

[pcrespov]

Goal for sprint Mithril

Will start implementing a short-term solution and create a plan for a more general solution that brings together the implementations of study-dispatcher for non-members (role based access) and the sharing functionality among members of the platform (group-based access).

Proposal:

• A tester selects a template study that s/he owns and presses a button to create a "external link"
• The UI asks for the role of the destination (e.g. open to the general public or not)
• The option checks whether the services inside the study can be made public (i.e. w/o login) and warns(or fails) about it

Implementation: @pcrespov @odeimaiz @elisabettai

• Add in service-metadata (upon acceptance) a flag to determine whether they can be published openly: can be associated with some sort of license agreement.
• API to create "share links" restricted to testers and that can validate services in project and enable publish
• FE: If tester, allow creation of a "share-link" for templates and show warnings if services are now allowed to be open
• Plan a unified "share/reference" mechanism (internal and external) that can work with links for both to the same standard projects or create a copy of template projects

[elisabettai]

Hi @pcrespov, this will be nice to get working for the steering committee meeting as well (before 29th March).

The use case we have is publishing links to templates on the SPARC Portal.
These templates contain the service jupyterlab-math (v.2.0.8).

Everyone from outside should be able to access those templates, but we need to check that they're logged in. If not, opening the templates should fail as now happens for the jupyterlab viewers (with the same nice panda image ☺️)

[pcrespov]

@elisabettai this is already implemented right? If so, please close or highlight what is missing