Skip to content

Disallow site auth limits in user configs. #751

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Disallow site auth limits in user configs. #751

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions cylc/uiserver/scripts/gui.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,15 @@
import asyncio
from contextlib import suppress
from glob import glob
from importlib.util import spec_from_loader, module_from_spec
from importlib.machinery import SourceFileLoader
import os
import re
from requests.exceptions import RequestException
import requests
import sys
from textwrap import dedent
from traitlets.config import Config
from typing import Optional
import webbrowser
from getpass import getuser
Expand All @@ -49,10 +52,43 @@
CylcUIServer,
INFO_FILES_DIR
)
from cylc.uiserver.config_util import (
USER_CONF_ROOT,
get_conf_dir_hierarchy,
)


CLI_OPT_NEW = "--new"


def inspect_user_config_files(config_paths):
not_allowed = ["site_authorization"]
Copy link
Member

@dwsutherland dwsutherland Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make sense for this not_allowed list to be defined at the site config level by the administrators?

Because it's really a policy matter what the admins allow/disallow the user to do with access to themselves.

Copy link
Member

@dwsutherland dwsutherland Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually .. Strike this, reverse it ..

site_authorization should only be set at site level..
whereas user_authorization is set by the user, and bound by the site_authorization parameters..

Copy link
Member Author

@hjoliver hjoliver Nov 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't really need a list actually, I think there's only one relevant setting. The code all runs as the user, it's just that it doesn't make sense to have site_... settings in the user config file.

for conf_file in config_paths:
if not os.path.exists(conf_file):
continue
loader = SourceFileLoader("module_name", conf_file)
spec = spec_from_loader(loader.name, loader)
if spec is None:
continue
user_module = module_from_spec(spec)
if user_module is None:
continue
# inject the "c" traitlets config object into the user config.
user_module.c = Config()

# import the module without adding it to sys.modules
loader.exec_module(user_module)

for item in not_allowed:
if item in user_module.c.CylcUIServer:
print(
f"ERROR {conf_file}: "
f"'{item}' cannot be set in user config files",
file=sys.stderr
)
sys.exit(1)


def main(*argv):
init_log()
hub_url = glbl_cfg().get(['hub', 'url'])
Expand Down Expand Up @@ -99,6 +135,14 @@ def main(*argv):
if '--no-browser' not in sys.argv:
webbrowser.open(url, autoraise=True)
return
inspect_user_config_files(
get_conf_dir_hierarchy(
[
USER_CONF_ROOT, # user configuration
], filename=True
)
)

return CylcUIServer.launch_instance(
jp_server_opts or None, workflow_id=workflow_id
)
Expand Down