11.3. Sharing with other users or groups of users

Overview

For certain use cases it is beneficial to be able to share applications with other users/groups. Cloud platform allows ability when runs environments will be accessed for several users, not only for the user, who launched the run (OWNER).
Sharing of a run - allows to share as the interactive tools endpoints (e.g. rstudio, jupyter, nomachine, etc.) and SSH sessions too.

Sharing a run with user(s)

In this example we will share a run with other user(s).

Note: for do that, user account shall be registered within CP users catalog and granted READ & EXECUTE for the pipeline/tool. User must be an OWNER of the running instance.

Note: in the example we will share a run of the RStudio tool (for more information about launching Tools see 10.5. Launch a Tool).

  1. Open run logs of the instance:
    CP_SharingRuns
  2. Click the link near the label "Share with":
    CP_SharingRuns
  3. In the opened pop-up window click CP_SharingRuns button.
  4. In the appeared window enter user name, for whom you want to share running instance. Confirm selected user by clicking the OK button:
    CP_SharingRuns
  5. If necessary, add more users.
    If you want to give a SSH-access to the instance - set the Enable SSH connection checkbox. If this checkbox is not set, only the interactive tools endpoints will be shared.
    When finished, click the Ok button:
    CP_SharingRuns
  6. In the run logs, users names for whom you shared running instance will appear near the label Share with:
    CP_SharingRuns
  7. Copy the link near the label Endpoint, send it to users, for whom you shared the instance:
    CP_SharingRuns

To share the SSH-access to a non-interactive run for the user - use the similar steps.
For a non-interactive run the "share" pop-up looks slightly different ("Enable SSH connection" checkboxes are missed):
CP_SharingRuns

Sharing a run with users group(s)

In this example we will share a run with other users group(s).

Note: for do that, user account shall be registered within CP users catalog and granted READ & EXECUTE for the pipeline/tool. User must be an OWNER of the running instance.

Note: in the example we will share a run of the RStudio tool (for more information about launching Tools see 10.5. Launch a Tool).

  1. Open run logs of the instance:
    CP_SharingRuns
  2. Click the link near the label Share with:
    CP_SharingRuns
  3. In the opened pop-up window click CP_SharingRuns button.
  4. In the appeared window enter user group's name, for which you want to share running instance. Confirm selected user group by click the OK button:
    CP_SharingRuns
  5. If necessary, add more groups.
    If you want to give a SSH-access to the instance - set the Enable SSH connection checkbox. If this checkbox is not set, only the interactive tools endpoints will be shared.
    When finished, click the OK button:
    CP_SharingRuns
  6. In the run logs, user group names, for which you shared running instance, will appear near the label Share with:
    CP_SharingRuns
  7. Copy the link near the label Endpoint, send it to users, for which group(s) you shared the instance:
    CP_SharingRuns

To share the SSH-access to a non-interactive run for the user group - use the similar steps.
For a non-interactive run the "share" pop-up looks slightly different ("Enable SSH connection" checkboxes are missed):
CP_SharingRuns

Work with a sharing running instance (for not owners/admins)

A current user can be accessed to a service, without running own jobs, if that service was shared for a current user or his group(s).
Note: for do that, user account shall be registered within CP users catalog and granted "sharing" permission for the instance.

Way 1

  1. Log in at the Cloud Pipeline. Open a new tab in a browser and input the link of the sharing running instance, that you received.
  2. The GUI of the Tool, of that running instance was shared, will be displayed. For example described above, it will be the RStudio GUI:
    CP_SharingRuns

Way 2

  1. On the Home dashboard click CP_SharingRuns button.
  2. In the opened popup enable the checkbox SERVICES and click the OK button:
    CP_SharingRuns
  3. On the appeared SERVICES widget at the Home dashboard page accessible "shared" services will be displayed:
    CP_SharingRuns
  4. Click it. The GUI of the Tool of the running shared instance will be displayed.
    CP_SharingRuns

Way 3. For the runs with the shared SSH-access

If Enable SSH connection checkbox was set at the sharing configure form (for the interactive run) or the non-interactive run was shared with a current user or his group(s), the SSH-access to the running instance can be obtained. For that - hover over the service "card" in the SERVICES widget at the Home dashboard page and click the SSH hyperlink:
CP_SharingRuns
A new page with the Terminal access to the shared instance will appear:
CP_SharingRuns

Sharing runs with the anonymous users

For certain use-cases, it is required to allow such type of access for any user, who has successfully passed the IdP authentication but is not registered in the Cloud Pipeline and also such users shall not be automatically registered at all and remain Anonymous.
To enable such behavior, the following application properties have to be specified before the deployment:

  • saml.user.auto.create=EXPLICIT_GROUP
  • saml.user.allow.anonymous=true

Once anonymous access is enabled system-wide each run that requires to be accessible by Anonymous has to be configured to share endpoints with the following user group - ROLE_ANONYMOUS_USER.

It could be performed in the following way:

  • Cloud Pipeline user launches the run whose interactive endpoint he wishes to share.
  • The user opens the Run logs page of the launched run
  • Then clicks the link near the Share with label:
    CP_SharingRuns
  • In the opened popup clicks the corresponding button to share with a group/role:
    CP_SharingRuns
  • In the appeared window, the user should select the ROLE_ANONYMOUS_USER role:
    CP_SharingRuns
  • Sharing with the Anonymous will be displayed at the Run logs page:
    CP_SharingRuns
  • The user should copy the Endpoint-link of the run and send it to the Anonymous user he wants to share.

Anonymous user should open a new tab in a browser and just input the link of the sharing running instance, that he has received. If that user passes SAML authentication, he will get access to the endpoint. Attempts to open any other Platform pages will fail.

Note: a user is treated as Anonymous if he is logging in and the SAML response is valid, but the user is not registered in the Platform and the auto-registration (of any kind) is not enabled.