There are a couple places in the webui that allow users to start an ssh terminal. File explorer, Active interactive sessions, dashboard’s cluster shell, I think that is all of them. What like to do is disable them all.

The Dashboard’s navbar can be overridden by defining apps you want to allow
/etc/ood/config/apps/dashboard/initializers/ood.rb
NavConfig.categories=[“Files”, “Jobs”, “Interactive Apps”]
NavConfig.categories_whitelist=true

Other 2 there does not appear to be a configuration option to control behaviour. What about commenting out in html/cgi. Can you point me to where in the code they are and or make them a configurable option to enable/disable?

Regards,
Jesse

Hi Jesse.

Thanks for your question.

You can disable the terminal in the Files App by using the following docs.

https://osc.github.io/ood-documentation/latest/reference/files/ondemand-d-ymls.html?highlight=disable%20terminal

As far as the other locations, I’m not sure that there is a way without doing what you are planning to do. However, if you do comment out the code, you would need to reapply that comment each time you update ondemand.

If this functionality does exist and I’m unaware, I will let you know. If it does not exist, I will create a project ticket to add this as a feature. Ability to globally disable the terminal app.

Thanks,
-gerald

The preferred method in OnDemand to disable an app is to block the user(s) from having access using POSIX permissions. So to make it so only root can access the shell app (used for Terminal access):

chown root:root /var/www/ood/apps/sys/shell
chmod 0700 /var/www/ood/apps/sys/shell

If a user can’t access the app on the filesystem, their PUN (Per-User-NGINX) will not be able to access the app so it won’t show up in OnDemand.

Be aware that at this time, OnDemand updates will overwrite permission changes on apps that are shipped with OnDemand packages. I would recommend integrating the permission changes into some kind of automation.

Ansible: GitHub - OSC/ood-ansible: An ansible playbook for Open Ondemand
Puppet: osc/openondemand · Open OnDemand Puppet module · Puppet Forge

Trey,

Thank you for the quick suggestion. Changing directory perm to 700 does disables the functionality, not hide the buttons from the webui. If user clicks on it they get application error 500.

Gerald,

I did go through pages and commented out in the code where button and or anchor tags are generated. This does give does hide buttons from webui and would be preferred. If they have button, they will click it and if it errors, thats a ticket. I’ll do both changing perms and little code edits.

Thanks to you both for comments,

Regards,
Jesse

What version of OnDemand on you running?

With OnDemand 2.0.28 (and 2.0.27, 2.0.28 will be released likely next week) I did this:

[root@webtest04 ~]# chmod 0700 /var/www/ood/apps/sys/shell
[root@webtest04 ~]# ls -la /var/www/ood/apps/sys/ | grep shell
drwx------ 10 root root 4096 Aug  1 15:26 shell

This what I see:

Screen Shot 2022-08-03 at 9.55.03 AM1464×230 35.4 KB

If I put permissions back and restart my PUN / Web Server (Help → Restart Web Server) I get this:

Screen Shot 2022-08-03 at 9.57.42 AM1808×396 75.8 KB

I am running 2.0.27

I removed the cluster menu item with:
/etc/ood/config/apps/dashboard/initializers/ood.rb
NavConfig.categories=[“Files”, “Jobs”, “Interactive Apps”]
NavConfig.categories_whitelist=true

File manager:

Active jobs screen:

image700×125 6.21 KB

Job composer:

And Interactive jobs (click hostname tries open terminal):

500 error

If you want to disallow SSH from the job card, add this to the cluster YAML:

  batch_connect:
    ssh_allow: false

That goes under v2 key. See Customization — Open OnDemand 2.0.20 documentation for more options such as disabling for all of OnDemand via environment variable.

Here are docs to disable the SSH button in Files app: ondemand.d/*.yml files — Open OnDemand 2.0.20 documentation. See files_enable_shell_button option.

Trey,

Thanks for the pointers to docs. That just leaves to local edits

/var/www/ood/apps/sys/myjobs/app/views/workflows/index.html.erb
/var/www/ood/apps/sys/dashboard/app/views/active_jobs/_extended_panel.html.erb

Curious, why not use a global class and extend for individual modules as needed?
in the individual modules/apps class appConfiguration < ConfigurationSingleton

This could me global setting, with local overrides as needed or vice versa

Setting terminal functionality in files app

def files_enable_shell_button
to_bool(config.fetch(:files_enable_shell_button, true))
end

Can you share the changes you had to make to those erb templates? It sounds like a bug if the batch_connect and files app configs are not disabling SSH login buttons. There is an issue to discuss the idea of better configuration options to disable SSH here: Add functionality to globally disable the terminal app for OOD Install. · Issue #2193 · OSC/ondemand · GitHub.

see attched patch files
index.html.patch.txt (46.0 KB)
_extended_panel.html.patch.txt (1.2 KB)

I just commented out lines that display,
for index.html.erb, commented out whole file (sledgehammer, but it works)

It’s not clear why you’d need the index.html.erb patch as the option is used to turn off Terminal button, this is the commit that made that possible: Add option to disable terminal in files app. (#1277) · OSC/ondemand@77a1dc0 · GitHub

Looking at the diff patch for index.html it’s not clear where the code removed is coming from. For example in 2.0 branch I see no mention of OODClusters.any in the dashboard views.

For the extended panel, that appears to be a bug and I’ve opened this PR with a possible solution: Do not display Open In Terminal button if SSH to compute is turned off by treydock · Pull Request #2210 · OSC/ondemand · GitHub

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.