Researcher needs to access UI from inside the workspace

[marrobi]

As a Researcher I need to be able to access the UI for my current workspace from a VM inside the workspace. This is needed so that I can retrieve connection URIs to services such as AML, and read/copy/paste instructions on how to use workspace services while inside the workspace.

Acceptance Criteria

• [ ] Should only be able to access the current workspace
• [ ] Risk of data exfiltration should be low.
• [ ] Access should be via a trusted SSL certificate

@damoodamoo welcome your thoughts

[damoodamoo]

Could we use app gateway routes to dynamically rewrite a route per workspace? so a call from Workspace A to the UI would get routed straight to /workspace/workspace-a ?

As we've also discussed, would we want to treat in-workspace access to the UI as readonly, possibly by blocking POST / PATCH requests?

[marrobi]

Yes, my first route forward would be to have a basic app gw per workspace, and do a path route. DNS and SSL will need configuring. The app gw could also be used with customer who do not want to expose Azure Websites URIs from the workspace.

[marrobi]

The inside view of the UI might need to provide access to secrets too, in line with #2401

[marrobi]

Application gateway now support private endpoints, so can add a private endpoint to a workspace. This doesn't limit access to a single workspace though, although could add a rule to limit inbound from that network to certain API paths.

[david-salac]

Hello, has there been any progress with this? Is there a plan to include it in any release soon? Cheers.

[marrobi]

@david-salac no, no immediate plans. What's the use case?

It's not straightforward as need to ensure cant access another workspace/UI should only be scoped to the current workspace.

[david-salac]

We need to disable clipboard paste and keep airlock (and DS provisioning) working; this is one of the ways (if not the only one) to achieve that.

[marrobi]

Understood, most customers allow paste in given the limited capacity of the Guacamole clipboard and impact on researcher productivity of blocking it completely. It might sound like a good idea initially but researchers soon become hamstrung.