In the hub.jupytearth.org JupyterHub, admin users get read/write access to a shared folder, and normal users get read access to a shared folder - besides their normal user folder.
@abbyazari, an admin user who wanted to copy large amounts of data to the shared folder, asked if sftp access to that could be granted somehow. And here I am, raising this for consideration.
Can jupyterhub-sftp expose access to a shared folder in the mounted storage or similar somehow?
I'm not sure at all about that. I think it must be an elegant generally helpful solution that is documentable, and not a solution that makes the logic unsustainable to maintain. Is there a technical solution to accomplish that? I'm not sure...
Technical exploration
The jupyterhub-sftp server mounts shared NFS storage
The jupyterhub-sftp server expose a specific folder, the home folder, for a specific end use
Brainstorming
Discarded idea: ugly workaround
If the shared storage would be named as a dummy username, it could be accessed using the same system where a dummy user's token is used etc...
Discarded idea: arbitrary NFS server path if you are a JupyterHub admin
Would it be reasonable for a JupyterHub admin associated token to be used to provide arbitrary credentials to the NFS server storage, or alternatively, arbitrary storage that isn't user home folder storage?
I imagine for example being able to mount the root directory of the NFS storage, or being able to request some kind specific storage path, as declared via the username when opening the connection?
With JupyterHub 2.0, we can create custom rules and grant them to custom people. What if we for example allow access via sftp root@myhub.com where a token needs to be provided to have a certain custom role defined ahead of time, granting access to the root folder of the storage?
The UX would be that:
Some system admin would setup a JupyterHub role and an associated jupyterhub api-token bound to that role.
jupyterhub-sftp would look for that role specifically.
Hmmm... rethinking this.
Still considered idea: configurable path access for configurable JupyterHub RBAC roles' tokens
The UX would be that:
Some system admin would setup a JupyterHub role and an associated jupyterhub api-token bound to that role.
Some system admin would configure jupyterhub-sftp via some new configuration API to recognize a request for custom storage via a sftp username like a role-<role-name> pattern, which would based on the jupyterhub-sftp configuration be coupled with a custom storage path.
In the hub.jupytearth.org JupyterHub, admin users get read/write access to a shared folder, and normal users get read access to a shared folder - besides their normal user folder.
@abbyazari, an admin user who wanted to copy large amounts of data to the shared folder, asked if sftp access to that could be granted somehow. And here I am, raising this for consideration.
Can jupyterhub-sftp expose access to a shared folder in the mounted storage or similar somehow?
I'm not sure at all about that. I think it must be an elegant generally helpful solution that is documentable, and not a solution that makes the logic unsustainable to maintain. Is there a technical solution to accomplish that? I'm not sure...
Technical exploration
Brainstorming
Discarded idea: ugly workaround
If the shared storage would be named as a dummy username, it could be accessed using the same system where a dummy user's token is used etc...
Discarded idea: arbitrary NFS server path if you are a JupyterHub admin
Would it be reasonable for a JupyterHub admin associated token to be used to provide arbitrary credentials to the NFS server storage, or alternatively, arbitrary storage that isn't user home folder storage?
I imagine for example being able to mount the root directory of the NFS storage, or being able to request some kind specific storage path, as declared via the username when opening the connection?
Discarded idea: root access for hardcoded JupyterHub RBAC role's associated tokens
With JupyterHub 2.0, we can create custom rules and grant them to custom people. What if we for example allow access via
sftp root@myhub.comwhere a token needs to be provided to have a certain custom role defined ahead of time, granting access to the root folder of the storage?The UX would be that:
Hmmm... rethinking this.
Still considered idea: configurable path access for configurable JupyterHub RBAC roles' tokens
The UX would be that:
sftpusername like arole-<role-name>pattern, which would based on the jupyterhub-sftp configuration be coupled with a custom storage path.