API access for regular user

[giesselmann]

Hi, I have a few users interested in processing metric data from their jobs. I'm strongly in favor of that, but as of now, only users with the role 'api' could do this. But the api role also allows to add/delete jobs...

Could you think of a way, that 'normal' users can, just like in the web frontend, get read-only access via API to their jobs?

[moebiusband73]

Yes, you are right. That would be an important feature, and also here some users asked for it.

We have to discuss how we can merge the database logic from repository/query.go with the one in repository/job.go used in the REST API. In query.go there is a Security check as part of the query builder that ensures that you can only see the jobs you are supposed to see according to your role: https://github.com/ClusterCockpit/cc-backend/blob/0b2f2214f99d14aa73757173616f92bb895240c4/internal/repository/query.go#L95

[giesselmann]

Found sth. that almost works, the graphql endpoint. A Query like this with a JWT token of the corresponding user does the job. Altair has a browser plugin to debug this.

{
  job(id: 3055306){
    user,
    startTime
  }
  jobMetrics(id: 3055306, metrics:"mem_used"){
    name,
    metric{
      series{
        data
      },
      timestep
    }
  }
}

Response:

{
  "data": {
    "job": {
      "user": "k12345",
      "startTime": "2024-04-30T18:05:14+02:00"
    },
    "jobMetrics": [
      {
        "name": "mem_used",
        "metric": {
          "series": [
            {
              "data": [
                7.15,
                7.17,
                56.31,
                57.1,
                57.1,
                57.1,
                56.88
              ]
            }
          ],
          "timestep": 60
        }
      }
    ]
  }
}

The only remaining issue is, that a regular user can't generate a JWT token for themselves, right? I find it only in the admin options. But that should be easy to implement.