Can I choose who can read/run my voila notebooks?

[mwouts]

Thanks for working on voila!

I have a question regarding authentication: can I use voila with https? Is it possible to make the notebooks accessible only to selected users? Thanks

[timkpaine]

I'm planning on implementing a prelaunch hook where you can interrogate the request. For my use case, I will guard the voila instance with a landing page that does login, then the prelaunch hook will either allow the notebook or display an error page saying the user is not permissioned. Not sure if the voila maintainers have plans to do this anyway but I'll be writing it in the next few days.

[mwouts]

That sounds great! I am looking forward testing this when available. Thanks @timkpaine .

[timkpaine]

will be doing the work in https://github.com/QuantStack/voila/pull/218

[maartenbreddels]

Hi Marc&Tim,

https is almost possible, we need to expose the certfile options only I think.

Authentication can be customized using login_handler_class configuration setting for Tornado. In the notebook, the NotebookApp is used to pass the configuration to the VoilaHandler (which subclasses AuthenticatedHandler).

I am not sure if we should expose this ourselves as a configuration in VoilaConfiguration, or if we should rely on jupyter_server for this.

I can imagine the login handler for voila to be configured separately from jupyter_server/notebook/lab, since I'd like it to be more permissive for voila than for the notebook (when they both run on the same server).

Maybe we should have the VoilaHandler use a different login_handler_class, which can be configured using VoilaConfiguration. This would make it possible to have the normal notebook login, but have no (or a different) voila login system.

[timkpaine]

@maartenbreddels makes sense to me. I don't know enough about jupyter_server vs voila to know who should handle it, but your intuition to make it optionally separately configurable sounds like the right direction.

[mwouts]

Hello @maartenbreddels , that's interesting. Yes, being able to provide "password", "certfile" and "keyfile" on the ServerApp would be a good starting point - at least I could use https and give the application password to authorized users only.

I did try to follow the notebook documentation with jupyter notebook replaced with jupyter server, and was able to generate a jupyter_server_config.json file with jupyter server password. But apparently that file is not used by voila yet - is that correct?

[maartenbreddels]

voila standalone reads voila.json/.py, and indeed. It would be more jupyter-like to have VoilaApp inherit from JupyterApp, which would then read jupyter_config.py/.json and jupyter_voila_config.py. I'm not sure how that ties in with the modications to the config system we have in mind (having a conf.d subdir like we now have for automatic nbextension enabling).

[mwouts]

Thanks @maartenbreddels

voila standalone reads voila.json/.py

Interesting! I've tried to add a voila.json file in my .jupyter folder, but that does not seem to work yet. I should have a look at the code to find when the config is loaded... I'll do that soon.

[maartenbreddels]

adding:

--Voila.log_level=DEBUG

might be useful, it should print out where it is looking at.

[mwouts]

I see. The file was at the correct place (either .jupyter or the current folder), it was just an issue with the config file itself, which was acting on ServerApp instead of Voila. Now, I can change the port by setting an option on the Voila object, like here:

{
  "Voila": {
    "port":8867,
    "password": "sha1:xxxx:xxxxxxxxxxxxxxxxxxxxxxxxxx",
    "password_required":true,
    "certfile": "/etc/.../certs/hostname.chained.crt",
    "keyfile": "/etc/.../private/hostname.key"
  }
}

However the approach does not seem to work with the other fields like password... (and I've tried already to replace Voila with ServerApp, JupyterApp, App just in case, but that did not activate the password):

[Voila] WARNING | Config option `password` not recognized by `Voila`.
[Voila] WARNING | Config option `password_required` not recognized by `Voila`.
[Voila] WARNING | Config option `certfile` not recognized by `Voila`.
[Voila] WARNING | Config option `keyfile` not recognized by `Voila`.

[maartenbreddels]

Yes, that part is still missing (certfile, keyfile). It might be worth waiting till we base more of voila on jupyter-server, so we do not do needless work with this (sorry 😄).

[mwouts]

No problem @maartenbreddels - we'll keep in touch then! And thanks answering my questions. Also, @timkpaine I did follow your links... your voila-dashboard project looks awesome!

[mwouts]

@maartenbreddels, I am not sure where to look for the release notes of voila... Is voila 0.1.10 now based on Jupyter Server? Should I give another attempt at configuring passwords and certificates? Thanks!

[maartenbreddels]

Not yet #369

Voila standalone is still not based on jupyer_server.

[mwouts]

Thanks @maartenbreddels for the update! I will follow #270, then.

[rladeira]

Currently, is there some way to control access in voila applications? Something like: an user can have access just to some pre-specified folders.

[timkpaine]

@rladeira afaik no, not yet.

[SylvainCorlay]

@rladeira this is more in the scope of JupyterHub which is the multi user application serving Jupyter notebooks, voila dashboards, handling authentication and authorizations.

[rladeira]

Thanks for the answers, @timkpaine and @SylvainCorlay.

Any references on how to integrate JupyterHub and voila dashboards?

[wasaga]

you may set up an authentication and authorization proxy https://github.com/gwrun/tutorials/tree/main/voila/docker-compose

[danlester]

If you are running a JupyterHub and want to share ad-hoc Voilà dashboards with specific users via the same authentication as used in your JupyterHub, please take a look at my ContainDS Dashboards project.