Nersc deployment adaptations (Auth, Environment variables) #124
Conversation
|
Staging application has been deployed and is available at: https://dash5-services.plotly.host/ml-exchange-staging |
app.py
Outdated
| app = Dash(__name__) | ||
| server = app.server | ||
|
|
||
| auth = dash_auth.BasicAuth(app, VALID_USER_NAME_PASSWORD_PAIRS) |
There was a problem hiding this comment.
Wondering if we want to make this something like:
auth = dash_auth.BasicAuth(app, VALID_USER_NAME_PASSWORD_PAIRS) if os.getenv("env") != "local" else None
So that we can set a local mode where we don't have to log in each time while developing.
There was a problem hiding this comment.
I have added a DASH_DEPLOYMENT_LOC variable that steers if authentication is enabled (when that variable is set to 'Local') or not.
| @@ -126,7 +126,7 @@ def save_annotations_data(global_store, all_annotations, project_name): | |||
| load_dotenv() | |||
|
|
|||
| TILED_URI = os.getenv("TILED_URI") | |||
| API_KEY = os.getenv("API_KEY") | |||
| TILED_API_KEY = os.getenv("TILED_API_KEY") | |||
There was a problem hiding this comment.
I'm testing this against our local Tiled server as well and get surprising behaviour with this change. My Python code throws an authentication error:
raise ClientError(message, exc.request, exc.response) from exc
tiled.client.utils.ClientError: 401: Invalid API key http://localhost:8000/api/v1/metadata/
And the local Tiled server blocks my requests:
INFO: 127.0.0.1:62131 - "GET /api/v1/metadata/clay_testZMQ HTTP/1.1" 401 Unauthorized
This seems to be only the case if this variable is called TILED_API_KEY. Not a problem, for example, if I change this to TLD_API_KEY. Wondering if this is because Tiled is trying to be too smart under the hood and something in the local client detects any env var with this name and tries to apply it?
There was a problem hiding this comment.
Indeed, you are right. My current understanding of what causes this error is as follows:
The client picks up on TILED_API_KEY being set as an environment variables and then uses that as an API key to authenticate, see [tiled/client/context.py#L79].(https://github.com/bluesky/tiled/blob/7566d0f2d61cb0477bf187b33e94d7449358c4e5/tiled/client/context.py#L79)
Our local server started with tiled serve directory --public data is in principle accessible without a key (we are allowed to read data without having an api_key in the request), but it does generate a key on startup (which would be needed for writing data). Our requests having a different key then causes the error.
There was a problem hiding this comment.
I see 2 main ways to address this:
- Rename the
TILED_API_KEYenvironment variable to something else, or - Start our local tiled server with the api key from the environment, such that we get a match again.
Keeping in mind that we may have this application run in different deployment environments and hooked up to different Tiled servers, I think I would like to stay away from baking in more semantics into the variable. In the latest update, I thus added a script that starts the local server with the TILED_API_KEY from the environment file by setting the TILED_SINGLE_API_KEY variable that the server makes use of (if set).
Let me know if that works for your test workflow @hannahker.
This PR groups some minor changes in relation to the deployment on Nersc. Most importantly it adds the basic auth wrapper, for now with a single username-password pair.
Additionally the following minor changes are included:
API_KEYtoTILED_API_KEYto prepare for adding other keys (e.g. to Splash ML)TILED_URItohttps://tiled-seg.als.lbl.govinREADME.mdEXPORT_FILE_PATHto be an environment variableconstants.pyindocker-compose.yml*env/