In order to add an authentication layer on top of existing Shiny Apps on Saagie, you can deploy a ShinyProxy instance on Saagie. ShinyProxy will provide :
- authentication (compatible with LDAP, OpenID Connect, SAML 2.0)
- authorizations : for each apps you want to expose, you'll be able to speciofy which groups (fetched from your AD) will be allowed to access it.
That way, users that want to access to the different Shiny Apps don’t even need a Saagie user access. They will be able to connect directly to the ShinyProxy instance, where access rights will be directly fetched from your company's AD. ShinyProxy will be the main entry point for all the Shiny Apps.
More information about Shiny Proxy can be found here
Configuration of Shiny Proxy
Configuring Shiny Proxy must be done through a YAML configuration file that needs to be stored on HDFS (e.g. hdfs://config/shinyproxy/application.yaml) or S3 (e.g. s3://config/shinyproxy/application.yaml). Then the $SHINYPROXY_CONF_URL environment variable must be created on your Saagie environment to specify where this configuration file is stored :
For HDFS :
http://<HDFS IP>:50070/webhdfs/v1/<full path to application.yaml>?op=OPEN&user.name=hdfs
Deploying Shiny Proxy as a Smart App
Simply deploy a new Smart App using the saagie/shinyproxy:2.3.0 docker image and expose the port 8080.
Example with OpenId
When configuring Open Id, you must specify which attribute should be used to restrict access to the different applications with the roles-claim parameter.
openid: auth-url: token-url: jwks-url: client-id: ------ client-secret: ------- username-attribute: scopes: [allatclaims] roles-claim: MyGroupAttribute logout-url:
Configuration of the Shiny Apps
To add a new application on Shiny Proxy, edit the configuration file in hdfs and add your app configuration under the tag specs: (More information here) The ShinyProxy Docker job must be restarted for the changes to be applied.
Shiny Apps must be deployed in Saagie as Smart Apps before being accessed from Shiny Proxy.
In order to do that, you must allow internal access to these apps and expose the default Shiny port (3838) . This is the internal URL that you must enter in your app configuration in the application.yml file.
For each application, you must then specify which groups should have access to it :
- id: shiny-app-1 display-name: My Shiny App description: This is a Super Shiny App container-proxy-managed: false container-app-url: http://url of my shiny app on Saagie.internal.px access-groups: ["GroupA","GroupC"]
Applications without any access-groups configured will be available to anyone logged in.
We're using a fork of Shiny Proxy 2.3.0 where the non-managed containers part has been customized to fit within Saagie. Code can be found here :