Authenticating with Public WebApps

adamnieto
Authenticating with Public WebApps

Hello,

I was wondering if anyone knows if it is possible to authenticate a DSS user to a project web app that is both public but they do not have project access to. 

I have been using code that looks like this:

 

 

@app.route('/authenticate')
def authenticate():
    try:
        request_headers = dict(request.headers)
        # Get the auth of the user performing the request
        # If the user is not authenticated, this will raise
        client = dataiku.api_client()
        auth_info = client.get_auth_info_from_browser_headers(request_headers)
        print ("User doing the query is %s" % auth_info["authIdentifier"])

        user = list(filter(lambda user: user["login"].lower() == auth_info["authIdentifier"].lower(), client.list_users()))[0]
        
        # Allows only workspace admins to have access to portal
        
        # Get workspace admins list
        workspace_admins = dataiku.Dataset('workspace_admins')
        workspace_admins_df = workspace_admins.get_dataframe()
        fltr_df = workspace_admins_df.loc[workspace_admins_df['admin_username'] == user['login'].lower()]
        admin_workspaces_lst = fltr_df.workspace_id.tolist()
        if len(admin_workspaces_lst) > 0:
            return json.dumps({"status":"ok","data":user['login'].lower()})
        else:
            # User is not allowed to enter portal
            return json.dumps({"status":"ok","data":"forbidden"})
    except dataikuapi.utils.DataikuException as err:
        return  json.dumps({"status":"ok","data":"not_authenticated"})
    except Exception as err:
        logger.error(traceback.format_exc())
        return traceback.format_exc(), 500

 

 

 

For users that don't have project access they see the following error in their browser. 

You do not have permission to read-use for dashboard...."  

 It lists the web app and project name after the "...".

Thank you for your help!

Adam

0 Kudos
8 Replies
adamnieto
Author

The error that the user receives by the way appears to be from Dataiku itself. It's error type is 

"errorType":"com.dataiku.dip.exceptions.UnauthorizedException"
0 Kudos
Fahim
Level 1

Hi Adam,

Were you able to resolve your issue? If so, could you please let us know how you did it.

Thank you!

0 Kudos
adamnieto
Author

Yes, 

You can add the user as an "Additional dashboard users" so you allow them to get access to just the web app without having access to the full project. Please see the picture below for more details:

 

dataiku_dashboard_user.png

 

adamnieto
Author

You may be able to also just share it to a workspace but I haven't tried it out that way before, so I am not exactly sure. 

0 Kudos
Fahim
Level 1

Thank you for this! This helps! But what if the user doesn't have a Dataiku login? What "login" do you provide under the additional dashboard users or do you control the "logins" using code? 

0 Kudos
Fahim
Level 1

My apologies. I think I get it now. So you pass those dashboard authorized users back to your function. 

0 Kudos
adamnieto
Author

If the user doesn't have a DSS login then you can't use this code to authenticate them. This code specifically authenticates them into the web app using the DSS login system.

It sounds like with your case you can just make it simple. Just make your web app a "public" web app. You can follow up on how to do that here: Public webapps — Dataiku DSS 10.0 documentation

In my case, I had a public web app which I also wanted to add custom authentication for specific use cases. What this meant for me is that some of my web app's pages were available to any user that could access the URL (didn't need access to DSS) and other pages of my web app required login (requiring a DSS account).

0 Kudos
adamnieto
Author

I am re-reading my code above and realize that it may be confusing in the context of DSS 9 + with the "workspace" variables and "workspace_admins" dataset. I was using this code before Dataiku made the workspaces feature available in DSS. The web app I was making was called the "Workspace Portal" and it had a data model called "Workspace" so just keep in mind the workspace stuff going on in this code has nothing to do with the workspace feature that DSS currently has since DSS 9. 

0 Kudos