Service Account - see other people's jobs

[antonelepfl]

I'm using the Service Account and if I enter with a different user I'm able to see the jobs that other people started. I think we need to think something like having some kind of mapping of user - jobs id.

For now we can start thinking about something and put ideas on here. What do you think @lbologna @rcsm17

[antonelepfl]

We can use tags in Unicore. I'm already using this for fetching only the simulations jobs or analysis jobs For instance when I submit a job, you guys can add the tag of my ID and then when I asked for my jobs you add my ID to the tags that I asked

I'm doing kind of brain storming of how we can fix this issue

[rcsm17]

Hi @antonelepfl,

This problem is more technical. In the standard API of the Service Account, when you make a request, the entire request is preprocessed by the SA, eventual informations are recorded, and the request is translated with the HPC's API. Therefore every request are processed by the SA and the SA knows in which user link every request. Instead for the advanced API you talk directly with the HPC. The requests are not preprocessed, except for the user check. So when you make a request as "antonel" (via the advanced API), on the SA side your request is accepted for your user, but on HPC side every request is done by the SA user ! And this is the crucial point on which you can see other users' jobs. Indeed when you make a get request to fetch your jobs, you make a request as "antonel" on the SA side, but on the HPC side the request is made always by the SA user, so it returns the SA user's jobs that comprises all jobs. (Hope this explanation is clear... my english is not yet good.)

To avoid this behavior we can apply a kind of filter on the results of the get request. But I need to know which line I cut off from every get response. Or maybe better, since I assign every "advanced" job with the real user, when a user submit a job, I can check if the get request is related to the user's jobs by check the records on the db and the informations on the request, and if it is not related I can block the request before send it to the HPC.

What's your idea about this ?

[BerndSchuller]

Apart from using tags, there is really no fast way to distinguish jobs (or anything) from different "real" users who are all using the same UNICORE identity.

[BerndSchuller]

ahh sorry closed by accident :-)

[antonelepfl]

@rcsm17 if I understand, you receive the request and you CAN add something to it right (using the advance endpoint) we can try to add the Unicore tag as Bernd suggested that is the easy way to do it. @lbologna What do you think?

[lbologna]

Hello @antonelepfl,

we discussed with Roberto on the current implementation of the service account. The tag solution @BerndSchuller is suggesting seems to be the easiest way for us (the alternative solution would be to get all the jobs info first and then filter the response, but this would definitely be less efficient). Our suggestion is that we add as tag the user's userid: in this way, when fetching the job info/data, we will perform a request that will filter out other users' jobs at UNICORE level.

If this seems reasonable to you, we will proceed this way.

Thanks.

[antonelepfl]

Yeah I think it is a good option. When you guys have some time we can move forward on this.

[antonelepfl]

I guess you guys are working on this because I'm getting an empty list all the time even if I just run a new simulation

[rcsm17]

Yes I'm working on it

[rcsm17]

I think it should work now

[antonelepfl]

Thank you Roberto! so far it is working. Let me test a bit more and if I see something wrong I'll tell you.

[alex4200]

For me it also seems to work now. I only can see my own two jobs for https://bbp.epfl.ch/public/dev.simulationapp/index.html#/circuits/sscx_hbp_sa_mouse_microcircuit/view/service_account

[rcsm17]

That's good !

So, I added the userid tag into post request when user submits the job on the get request when user fetch the jobs. For other requests I do not added anything else... Let me know if I have to do other changes

[antonelepfl]

This works fine for me so far. We can close this issue. Thank you Roberto !