New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TFJobs UI doesn't work behind IAP; React APP needs support IAP? #574
Comments
@jlewi @ankushagarwal Could one of you grant me access to dev.kubeflow.org so I can test this? @jlewi This is most likely |
@jlewi @ankushagarwal me too - Jeremy I know you tried adding me using my corp account but both don't seem to work (kamkasravi@gmail.com and kam.d.kasravi@intel.com). Sorry for being a pest. I've had perhaps similar issues with the IAP I've set up (uses kubernetes 1.9) with the backend loadbalancers getting in the way. I tried logging into an envoy proxy as suggested and using curl to access noiap/whoami - no issues. It worked at one point a few weeks ago I think. |
@kkasravi Doesn't look like you were a member so I added @intel.com @wbuchwalter Can you send me your corporate account? I generally prefer to add corporate ids. |
I think @wbuchwalter started looking at this last week. |
@wbuchwalter any update? |
Punting to 0.3 because no one is actively working on this so I don't think its going to make the cut for 0.2 |
@jlewi I can look at this - given my recent wrestling with jupyterhub I think it should be straigtforward. |
There's some guidance here about handling IAP refresh |
I just noticed that when I access the TFJobs dashboard the javascript console shows
|
Here's a suggestion I got
|
@ankushagarwal Can you coordinate with Kam and try out the simple fix listed above? /assign @ankushagarwal |
for jupyterhub it sets the x-goog-authenticated-user-email for REMOTE_USER - https://github.com/cwaldbieser/jhub_remote_user_authenticator#f1 - probably not telling @ankushagarwal anything he doesn't already know ... |
/assign @kkasravi |
working on this - had a few problems creating an IAP enabled cluster within our PROJECT |
@kkasravi Kam you have access to project kubeflow-dev. Feel free to use that. |
the services.js does have the fetch on line 5
However I don't think that's the problem. I put tf-jobs behind ambassador and chrome is telling me that I added cors to the tf-jobs-dashboard ambassador annotation by editing it directly
i'm testing this approach. Will likely need to update the bootstrapper image. |
i think i may need to rebuild the centraldashboard. Pinged @swiftdiaries |
@kkasravi What is the connection between centraldashboard and the TFJobs UI? |
answered in slack but copying here for tracking purposes when kubeflow is deployed with IAP enabled and you click on the 'tfjob' link in the kubeflow dashboard in the browser you'll see an error 'Failed to load https://accounts.google.com/o/oauth2/v2/auth?client_id=336335541993-1m7cegck4jic23263v0gplhc46f4rmmj.apps.googleusercontent.com...: No 'Access-Control-Allow-Origin' header is present on the requested resource'. The browser fails to load the oauth call to google because the request didn't set Origin, Access-Control-Request-Method, Cookie. If these request headers are set on the call to /tfjobs/ui/ then google will return Access-Control-Allow-Origin which will allow the browser to make the call to google for authentication. This can set in ambassador which will then allow the browser to call accounts.google.com and fetch the credentials. I'll provide a writeup on the issue and a reference in the PR. |
update: testing changes in tf-operator frontend services.js |
@kkasravi I can try this out. I've got a sample app running. Here are the headers I see
|
I ran into some really strange behavior with ksonnet and adding Ambassador mappings; see ksonnet/ksonnet#670 |
* This is intended to support debugging IAP; we want to see what headers are on resulting requests. * See kubeflow#574 * While creating this I ran into an issue with ksonnet not formatting the Ambassador mapping correctly unless we import it from a libsonnet file see ksonnet/ksonnet#670
I tried the two fixes Kam mentioned above #1 Use #688 in TFJobs UI to set request headers. For #1 I used When I navigate to tfjobs/UI I'm still seeing errors
When I try to create a job in the UI I get
|
I ran an experiment where I enabled CORS everywhere using a firefox plugin That fixed the Failed to load error. Not it looks like I'm just get the json error When I created a TFJob (via the CLI) it should up in the dashboard but when I tried to click on it I got the json error above. I have v1alpha2 of TFJob configured. I wonder if its still using TFJob v1alpha1 and that is the problem. |
@jlewi are you using 'default' for the namespace? I opened kubeflow/training-operator#701 which happens when a different namespace is used (in the UI not the CLI). I found that the POST to create the tfjob was reaching the server. I'm wondering if my cors headers aren't correct if your firefox plugin is working everywhere or cors needs to be set earlier before tfjobs is selected - in the central ui splash page. I mentioned that I get the 'Failed to load ...' error 1 time when going to the tfjob page and afterwards i don't see it reappearing even though the /tfjob/ refreshes every 30sec or so. I'm working on a fix for kubeflow/training-operator#701 which adds the KUBEFLOW_NAMESPACE to the tf-operator environment in tf-job-operator.libsonnet. |
@kkasravi Kubeflow is deployed in namespace kubeflow. I think I used that namespace for the job as well. Would it be worth while to try to create a simple test app that we could use to work out the CORS issues without conflating it with other issues? I'm not sure what that would look like exactly. |
Won't be able to get to this until late afternoon/early evening due to PTO plans most of day. Will update |
* Create a version of echo-server to echo headers. * This is intended to support debugging IAP; we want to see what headers are on resulting requests. * See #574 * While creating this I ran into an issue with ksonnet not formatting the Ambassador mapping correctly unless we import it from a libsonnet file see ksonnet/ksonnet#670 * Address comments. * Reference the images in kubeflow-images-public. * Autoformat.
i believe what is remaining on this is PR kubeflow/training-operator#688 which sets up cors for all tfjobs fetches (GET, POST, DELETE) in the UI (services.js). |
We need to build a new image for tf-operator to pick up the changes kubeflow/training-operator#688 |
I reopened this issue to track verification that it is working after updating the images. |
I created a new image: Looks like IAP is now working. Here's a screen shot showing that the jobs can load. Note though that nothing is showing up in Name, Status, Logs. Developer console is showing me errors
I see similar errors if try to create a job via the UI. This appears to be a different issue, not related to IAP. I observe similar behavior if I try to create a job via the UI. |
* fixing kubeflow#574 * adding cors to ambassador for /tfjobs/ * update iap to include tfjobs path * remove cors from ambassador annotations - not needed * remove spurious changes
* Create a version of echo-server to echo headers. * This is intended to support debugging IAP; we want to see what headers are on resulting requests. * See kubeflow#574 * While creating this I ran into an issue with ksonnet not formatting the Ambassador mapping correctly unless we import it from a libsonnet file see ksonnet/ksonnet#670 * Address comments. * Reference the images in kubeflow-images-public. * Autoformat.
* Add Validate Algorithm Settings * Integrate ValidateAlgorithmSettings in ManagerClient * Run dep ensure
* add jocstaa to members * Update org.yaml
TFJobs UI is deployed on dev.kubeflow.org.
The UI shows up behind IAP but its doesn't work
Looking at the developer console we see requests to
Which suggests to me the request is hitting the loadbalancer and being directed to do auth verification to sign in and its getting rejected.
So I think one of two things is happening
@wbuchwalter Do you know where the request is coming from?
You should be able to access it at
https://dev.kubeflow.org/tfjobs/ui/
The text was updated successfully, but these errors were encountered: