Commit d8f32f1c authored by Stefano Alberto Russo's avatar Stefano Alberto Russo
Browse files

Merge branch 'fixes/platform_computing_user' into develop

parents 0a6f481a 02e8a862

README.md

+23 −13
Original line number Diff line number Diff line
@@ -43,30 +43,40 @@ Clean 


### Configuration



Example Webapp configuraion:

Webapp service configuraion parameters and their defaults:



      - SAFEMODE=False

      - DJANGO_DEV_SERVER=True

      - DJANGO_DEBUG=True

      - SAFEMODE=false

      - DJANGO_DEV_SERVER=true

      - DJANGO_DEBUG=true

      - DJANGO_LOG_LEVEL=ERROR

      - ROSETTA_LOG_LEVEL=ERROR

      - ROSETTA_TUNNEL_HOST=localhost # Not http or https

      - ROSETTA_WEBAPP_HOST= 

      - ROSETTA_HOST=localhost

      - ROSETTA_TUNNEL_HOST=localhost

      - ROSETTA_WEBAPP_HOST=""

      - ROSETTA_WEBAPP_PORT=8080

      - LOCAL_DOCKER_REGISTRY_HOST=

      - LOCAL_DOCKER_REGISTRY_PORT=5000

      - ROSETTA_REGISTRY_HOST=proxy

      - ROSETTA_REGISTRY_PORT=5000

      - DJANGO_EMAIL_SERVICE=Sendgrid

      - DJANGO_EMAIL_APIKEY=

      - DJANGO_EMAIL_APIKEY=""

      - DJANGO_EMAIL_FROM="Rosetta <notifications@rosetta.local>"

      - DJANGO_PUBLIC_HTTP_HOST=http://localhost # Public facing, with http or https

      - INVITATION_CODE=""

      - OIDC_RP_CLIENT_ID=""

      - OIDC_RP_CLIENT_SECRET=""

      - OIDC_OP_AUTHORIZATION_ENDPOINT=""

      - OIDC_OP_TOKEN_ENDPOINT=""

      - OIDC_OP_JWKS_ENDPOINT=""

      - DISABLE_LOCAL_AUTH=False

      - DISABLE_LOCAL_AUTH=false



In Rosetta, only power users can:

Notes:



 - `ROSETTA_TUNNEL_HOST` must not include http:// or https://

 - `ROSETTA_REGISTRY_HOST` should be set to the same value as `ROSETTA_HOST` for production scenarios, in order to be secured unders SSL. The `standaloneworker` is configured to treat the following hosts (and ports) as unsecure registies, where it can connect without a valid certificate: `proxy:5000`,`dregistry:5000` and `rosetta.platform:5000`.

 - `ROSETTA_WEBAPP_HOST` is used for let the agent know where to connect, and it is differentiated from `ROSETTA_HOST` as it can be on an internal Docker network. It is indeed defaulted to the `webapp` container IP address.







### User types 

In Rosetta there are two user types: standard users and power users. Their type is set in their user profile, and only power users can:



   - set custom task passwords

   - choose task access methods other than the default one (bypassing HTTP proxy + auth)

docker-compose-dev.yml

+2 −2
Original line number Diff line number Diff line
@@ -60,8 +60,8 @@ services: 
      - ROSETTA_LOG_LEVEL=DEBUG

      #- ROSETTA_WEBAPP_HOST=localhost # Internal, for the agent

      #- ROSETTA_WEBAPP_PORT=8080      # Internal, for the agent

      #- LOCAL_DOCKER_REGISTRY_HOST=

      #- LOCAL_DOCKER_REGISTRY_PORT=5000

      #- ROSETTA_REGISTRY_HOST=

      #- ROSETTA_REGISTRY_PORT=5000

      #- DJANGO_EMAIL_APIKEY=""

      #- DJANGO_EMAIL_FROM="Rosetta Platform <notifications@rosetta.platform>"

      #- DJANGO_SECRET_KEY=""

services/standaloneworker/Dockerfile

+4 −2
Original line number Diff line number Diff line
@@ -21,8 +21,10 @@ RUN mkdir /home/testuser/.ssh 
COPY keys/id_rsa.pub /home/testuser/.ssh/authorized_keys

RUN dnf install -y python wget



# Install iputils (ping)

RUN dnf install -y iputils

# Install iputils (fpr ping) and openssh-clients (for scp)

RUN dnf install -y iputils openssh-clients



# TODO: Add the rosettta user



# Copy registries.conf to allow insecure access to dregistry

COPY registries.conf /etc/containers/registries.conf

services/standaloneworker/registries.conf

+4 −0
Original line number Diff line number Diff line
@@ -85,6 +85,10 @@ short-name-mode="enforcing" 
location = "dregistry:5000"

insecure = true



[[registry]]

location = "proxy:5000"

insecure = true



[[registry]]

location = "rosetta.platform:5000"

insecure = true

services/webapp/code/rosetta/core_app/api.py

+7 −4
Original line number Diff line number Diff line
@@ -321,7 +321,7 @@ print(port) 
                return HttpResponse('Port not valid (got "{}")'.format(task_interface_port))

              

            # Set fields

            logger.info('Setting task "{}" to ip "{}" and port "{}"'.format(task.uuid, task_interface_ip, task_interface_port))

            logger.info('Agent API setting task "{}" to ip "{}" and port "{}"'.format(task.uuid, task_interface_ip, task_interface_port))

            task.status = TaskStatuses.running

            task.interface_ip = task_interface_ip
@@ -349,7 +349,7 @@ print(port) 
            # Notify the user that the task called back home if using a WMS

            if task.computing.wms:

                if settings.DJANGO_EMAIL_APIKEY:

                    logger.info('Sending task ready mail notification to "{}"'.format(task.user.email))

                    logger.info('Agent API sending task ready mail notification to "{}"'.format(task.user.email))

                    mail_subject = 'Your Task "{}" is now starting up'.format(task.container.name)

                    mail_text = 'Hello,\n\nyour Task "{}" on {} is now starting up. Check logs or connect here: https://{}/tasks/?uuid={}\n\nThe Rosetta notifications bot.'.format(task.container.name, task.computing, settings.ROSETTA_HOST, task.uuid)

                    try:
@@ -441,7 +441,7 @@ class FileManagerAPI(PrivateGETAPI, PrivatePOSTAPI): 
                if computing.auth_mode == 'user_keys':

                    computing_user = user.profile.get_extra_conf('computing_user', storage.computing)

                    if not computing_user:

                        raise Exception('Computing resource \'{}\' user is not configured'.format(storage.computing.name))

                        raise ValueError('No \'computing_user\' parameter found for computing resource \'{}\' in user profile'.format(storage.computing.name))

                    base_path_expanded = base_path_expanded.replace('$SSH_USER', computing_user)

                else:

                    base_path_expanded = base_path_expanded.replace('$SSH_USER', computing.conf.get('user'))
@@ -449,7 +449,7 @@ class FileManagerAPI(PrivateGETAPI, PrivatePOSTAPI): 
            else:

                raise NotImplementedError('Accessing a storage with ssh+cli without going through its computing resource is not implemented')

        if '$USER' in base_path_expanded:

            base_path_expanded = base_path_expanded.replace('$USER', user.name)

            base_path_expanded = base_path_expanded.replace('$USER', user.username)



        # If the path is not starting with the base path, do it

        if not path.startswith(base_path_expanded):
@@ -757,6 +757,9 @@ class FileManagerAPI(PrivateGETAPI, PrivatePOSTAPI): 
                    if not storage.type=='generic_posix'  and storage.access_mode=='ssh+cli':

                        continue

                    

                    if storage.access_through_computing and not storage.computing.manager.is_configured_for(user=request.user):

                        continue

                    

                    data['data'].append({

                                         'id': '/{}/'.format(storage.id),

                                         'type': 'folder',