Setting Interactive App Permissions

brandon-biggs · December 16, 2020, 10:17pm

I have an interactive app category called “sandbox”. Under sandbox I have 5 forms. Each form submits to the same cluster, however each app has different attributes and different groups of people that can access each one. I can set the attributes/change the form. That’s not a problem, but I was wondering if there was a way to set different permissions for each app under sandbox?

I’ve been able to set ACLs in the cluster config like the documentation defines here, but this seems that it sets the same permissions for every app that submits to the cluster in the cluster config. Do I need to create a cluster config per app that exists under sandbox? This wouldn’t be a big deal except that it creates a new cluster under the “active jobs” passenger app for each new cluster_config. So this would essentially create 5 duplicates.

jeff.ohrstrom · December 17, 2020, 4:37pm

I think you’re looking for file permission ACLS. If you chown or setfactl on the form.yml files then you should be able to.

But I’d also suggest thinking about this another way. Maybe 1 app, 1 form and in that form you make decisions about what to show. Of course I can only assume your use case at this point. But it may be easier to manage/maintain 1 file rather than 5.

Here’s an example of how we do this in Jupyter, where we show class material if you’re enrolled in that class (you have group membership in that class).

github.com

OSC/osc-ood-config/blob/master/class.osc.edu/apps/bc_osc_jupyter/form.yml.erb

<%- 

  groups = OodSupport::Process.groups.map(&:name)
  staff = groups.include?('oscall')

  base_modules = "project/classes"

  group_lookup = {
    "BIOCHEM 5721"     => "PAS1745",
    "PHYSICS 6820"     => "PAS1759",
    "OSC JUPYTER"      => "oscall", #not really required, but kept to avoid confusion
    "PHYSICS 280 WIT"  => "PWIT0412",
    "PHYSICS 4032 OU"  => "PHS0342",
  }.select { |k,v| groups.include?(v) }

  classes = {
    "BIOCHEM 5721"     => "#{base_modules} class/BIOCHEM5721",
    "PHYSICS 6820"     => "#{base_modules} class/PHYSICS6820",
    "OSC Jupyter"      => "#{base_modules} class/OSCJUPYTER",
    "PHYSICS 280 WIT"  => "#{base_modules} class/PHYS280_WIT",

This file has been truncated. show original

brandon-biggs · December 17, 2020, 4:37pm

Thanks Jeff.

That Jupyter example is great. That may work for what I was trying to do. I’ll have to experiment with that to see if I can get it to work how I’m imagining this is setup. You’re definitely right about preferring to manage 1 form instead of 5.

Thanks for the information about file permissions as well!