feat: add authentication documentation for REANA JupyterLab extension #35
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Authentication | ||
|
|
||
| ## Token Reuse | ||
|
|
||
| The REANA JupyterLab extension automatically reuses the existing JWT access token issued by the Identity Provider (IdP) that authenticated the current JupyterLab session, ESCAPE INDIGO IAM in the VRE, so no additional login or authentication steps are required. | ||
|
|
||
| ## Verifying Access | ||
|
|
||
| You can verify that authentication is working properly: | ||
|
|
||
| 1. Open Reana JupyterLab by clicking on the REANA icon in the JupyterLab sidebar | ||
| 2. Check if you can see your workflows listed | ||
| 3. Open a workflow detail panel to see its contents | ||
|
|
||
| If these actions succeed, your authentication is working correctly. If you see "unauthorized" errors or empty lists where you expect content, there may be an authentication issue. | ||
|
|
||
| ## Authentication Flow | ||
|
|
||
|  | ||
|
|
||
| *Authentication flow: Your VRE login generates a token that is automatically injected into your container environment and configuration, allowing the extension to access REANA resources on your behalf.* | ||
|
|
||
| ## Troubleshooting | ||
|
|
||
| If you encounter authentication problems: | ||
|
|
||
| - **Token expired?** Restart your JupyterLab container to get a fresh token | ||
| - **Still not working?** Re-login to the VRE web interface, then launch a new JupyterLab session | ||
| - **Need different credentials?** Use the connection configuration panel (see below) | ||
|
|
||
| ## Optional Connection Configuration | ||
|
|
||
| You can still manually configure the connection to a different REANA instance: | ||
|
|
||
| 1. Open Reana JupyterLab by clicking on the REANA icon in the JupyterLab sidebar | ||
| 2. Click on the connection settings icon | ||
| 3. Enter a REANA server URL and the REANA access token. | ||
|
|
||
| After connecting to the REANA server, a notification will appear in the bottom right corner of the screen indicating that the connection was successful. You can now interact with the REANA server from within JupyterLab. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,6 +5,30 @@ Explore Reana on the software's [official documentation](https://docs.reana.io/) | |
|
|
||
| You can find other examples of differen workflow languages on the [official Reana documentation](https://docs.reana.io/advanced-usage/access-control/rucio/). | ||
|
|
||
| # Authentication with reana-client | ||
|
|
||
| The REANA client provides a command-line interface for authenticating with the REANA server. You can use the `reana-client auth` command which initiates an OAuth 2.0 device flow authentication: | ||
|
Member
There was a problem hiding this comment. Please add a link for oauth2.0 so that people can educate themselves, for example |
||
|
|
||
| ```bash | ||
| $ reana-client auth | ||
| ``` | ||
|
|
||
| This command will provide you with a URL to visit and a code to enter, allowing you to authenticate through your browser. You can read more about OAuth2.0 and the device flow authentication in the [What is OAuth2.0 docs by auth0](https://auth0.com/intro-to-iam/what-is-oauth-2). | ||
|
|
||
| Example output: | ||
|
|
||
| ```text | ||
| $ reana-client auth | ||
| Go to: https://iam-escape.cloud.cnaf.infn.it/device | ||
| Enter code: ****** | ||
| Or open: https://iam-escape.cloud.cnaf.infn.it/device?user_code=****** | ||
| Waiting for authorization... | ||
| ``` | ||
|
|
||
| :::warning[Important] | ||
| When using the `reana-client auth` command, please note that the VRE JupyterLab extension may not be automatically updated with your new authentication token. If you're using both the command-line client and the JupyterLab extension, you may need to restart your JupyterLab session for the extension to recognize your new authentication status. | ||
| ::: | ||
|
|
||
| # Reana - Rucio integration | ||
|
|
||
| A functionality to directly upload files from a Rucio RSE to the Reana workspace has been implemented. In this way, users can immediately reproduce an analysis on Reana without having to first download files locally from Rucio and then upload them to the Reana workspace. | ||
|
|
@@ -92,4 +116,4 @@ $ reana-client upload | |
| $ reana-client start | ||
| $ reana-client status | ||
| ``` | ||
| 5. Check the state of your workflow on https://reana-vre.cern.ch/. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the
unauthorizedfeature developed and implemented ?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "unauthorized" message is my assumption for an error message that could appear if something goes wrong.
This PR contains documentation about multiple things that have not been developed and implemented, and I had to assume and think through some of the issues/challenges that may arise. Do you think it could be useful to make the docs more abstract and this paragraph to avoid specific values?