Open dharhas opened 6 months ago
pmeier
commented
6 months ago I see that we are missing forward slashes for the auth and logout endpoints:
@pierrotsmnrd Do you remember if this was intentional?
I'm not saying that this is the issue here, but this the only thing that caught my eye while looking into it.
pierrotsmnrd
commented
6 months ago It was not intentional. I don't know if this has an impact or not. worth trying.
pmeier
commented
6 months ago @aktech confirmed that #276 indeed fixed the issue. However, we have for more instances of hardcoded paths for the login mechanism:
They also need be relative. This most likely has to happen in JS.
pmeier
commented
4 months ago @aktech This is solved with the PRs you have send, correct?
aktech
commented
4 months ago I have not tested it yet. I am testing is right now.
aktech
commented
4 months ago The login endpoint issue is fixed (which is what this issue is about), I am able to login via the proxy url, which takes me to the /auth.
After login the UI will look for http://127.0.0.1:31476/document (when you upload a doc), which can be fixed with creating ui and api separately, something along these lines: https://github.com/nebari-dev/jhub-apps/discussions/147 I'll give that a try to confirm if that works (I am fairly confident it should).
aktech
commented
4 months ago I just tried running two separate processes explicitly one for API and another for UI
ragna apiragna ui --no-open-browser --no-start-apiWith this ragna.toml:
# change to match your directory and same for all others below
local_root = "/home/akumar@quansight.com/.cache/ragna"
authentication = "ragna.deploy.RagnaDemoAuthentication"
document = "ragna.core.LocalDocument"
source_storages = [
"ragna.source_storages.RagnaDemoSourceStorage",
]
assistants = [
"ragna.assistants.RagnaDemoAssistant",
]
[api]
hostname = "127.0.0.1"
port = "31476"
# change this url to match the url of the created ragna api app url
url = "https://nebari.quansight.dev/user/akumar@quansight.com/proxy/31476"
origins = ["https://nebari.quansight.dev"]
database_url = "sqlite:////home/akumar@quansight.com/.cache/ragna/ragna.db"
[ui]
hostname = "127.0.0.1"
port = 31477
origins = [
"http://127.0.0.1:31477",
]Below is the error (as API is not accessible to UI without authentication and it does a 302 redirect to hub authentication)
It didn't work as the API deployed via jupyter server proxy is supposed to be publicly accessible as the UI calls the API internally instead of on the browser as explained in here: https://github.com/nebari-dev/jhub-apps/discussions/147#discussion-6331219 (TLDR: UI hits the hub authentication before the API authentication).
I didn't see a way to expose the API publicly in the Jupyter Server Proxy @dharhas do you know if that's possible?
dharhas
commented
4 months ago @aktech we don't want the API to be publicly accessible right? it should still be behind auth but the hope would be that internally launched tools should be able to see each other.
pinging @krassowski in case he has any ideas.
aktech
commented
4 months ago @aktech we don't want the API to be publicly accessible right? it should still be behind auth but the hope would be that internally launched tools should be able to see each other.
Yes, there are two levels of authentication here:
We only want to get rid of the first one, the second one will still exist, which means the API won't be public.
krassowski
commented
4 months ago I think it is not possible to selectively disable auth in jupyter-server-proxy. One could hack it around by monkeypatching the tornado internals but I would not go that way as this is a security critical component we don't want to accidentally break.
If that was launched from jhub-apps you could presumably pass the JupyterHub auth token/cookie in the request to pass through the JupyterHub-level auth, right? Or is there a conflict because both Ragna and JupyterHub name the tokens the same way?
krassowski
commented
4 months ago In a sense, this looks like ragna should be a service with a service token (so that we are not passing the user auth token).
dharhas
commented
4 months ago Maybe the jhub-apps can launch the ragna backend as a 'service' and then the ragna frontend can be a regular app?
dharhas
commented
4 months ago A more general question is how does a user deploy rest api's that they want other apps on the platform to be able to use.
Bug description
When I launch "ragna ui" from the command line on JupyterHub/Nebari with say:
BOKEH_ALLOW_WS_ORIGIN=nebari.quansight.dev ragna uiRagna is deployed with JupyterHub Server Proxy to the url:
https://nebari.quansight.dev/user/dharhas@quansight.com/proxy/31477/This works but the the login page gets redirected to
https://nebari.quansight.dev/auth and shows a 404.
gets redirected to
https://nebari.quansight.dev/authmanually changing the auth url to
https://nebari.quansight.dev/user/dharhas@quansight.com/proxy/31477/authlets me login and then I can use ragna.
How to reproduce the bug?
launch a terminal on Jupyterhub/ragna and launch ragna ui
Versions and dependencies used
ragna - 0.1.3 python - 3.11.7 os - linux
Anything else?
No response