Securing Applications

You can provide access to Applications via either the CDSW_APP_PORT or the CDSW_READONLY_PORT. Any user with read or higher permissions to the project is able to access an application served through either port.

• Securing project resources

  CML applications are accessible by any user with read-only or higher permissions to the project. The creator of the application is responsible for managing the level of permissions the application users have on the project through the application. CML does not actively prevent you from running an application that allows a read-only user (i.e. Viewers) to modify files belonging to the project.

• Public Applications

  By default, authentication for applications is enforced on all ports and users cannot create public applications. If desired, the Admin user can allow users to create public applications that can be accessed by unauthenticated users.

  To allow users to create public applications on an ML workspace:

  1. As an Admin user, turn on the feature flag in Admin > Security by selecting Allow applications to be configured with unauthenticated access.
  2. When creating a new application, select Enable Unauthenticated Access.
  3. For an existing application, in Settings select Enable Unauthenticated Access.

  To prevent all users from creating public applications, go to Admin > Security and deselect Allow applications to be configured with unauthenticated access. After one minute, all existing public applications stop being publicly accessible.

• Transparent Authentication

  CML can pass user authentication to an Application, if the Application expects an authorized request. The October 2020 release (and earlier) accomplishes this authentication by setting the REMOTE_USER field of the HTTP header to the username. The November 2020 release (and after) uses the REMOTE-USER field for this task.