Second user of app gets message "Not authorized to access this proxy"

Anders · 2018-08-28 14:00:37 UTC

First, thank you for your fantastic work on this.

I am running a single app using shinyproxy, with two users defined in application.yml using simple authentication.

The app runs perfectly when the first user logs in and starts the app. However, when the second user logs in and tries to start the app, the message “Not authorized to access this proxy” is displayed.

Note that it is the order that the users log on that matters, both users are able to start the app individually - as long as the other user is not logged in.

My understanding (and the main reason I looked into shinyproxy) is that a second instance of the app should be launched in this situation.

Does anyone have any idea of what could be wrong? I have followed the instructions without any deviations I can think of. My application.yml below.

Many thanks,
Anders

proxy:
 title: Open Analytics Shiny Proxy
  logo-url: http://www.openanalytics.eu/sites/www.openanalytics.eu/themes/oa/logo.png
  landing-page: /
  heartbeat-rate: 10000
  heartbeat-timeout: 60000
  port: 8080
  hide-navbar: false
  authentication: simple
  admin-groups: scientists
  # Example: 'simple' authentication configuration
  users:
  - name: user1
    password: password
    groups: scientists
  - name: user2
    password: password
    groups: mathematicians
  docker:
    cert-path: /home/none
    url: http://localhost:2375
    port-range-start: 20000
  specs:
  - id: myapp
    display-name: myapp
    description: QC
    container-cmd: ["R", "-e", "shiny::runApp('/root/myapp')"]
    container-image: openanalytics/shinyproxy-myapp
    access-groups: [scientists, mathematicians]

logging:
  file:
    shinyproxy.log

Mohsen · 2018-08-29 00:55:55 UTC

Hi,
I am having the exact same error, with a slight difference. In my case I only get this error if I login into different sessions using the same user. So if user1 logs in and runs the app, and then same user1 logs in from a different browser session and log in then I get this error, otherwise the app runs fine.
Are you having a different experience @Anders ?
Even then, is this behavior expected? That one user logs in once only from same session?
When user1 logs out from one of the sessions, user1 can then access the app from the other session.
Regards
Mohsen

Anders · 2018-08-29 08:24:55 UTC

My problem looks to have resolved itself after a reboot (yes, I know… Sorry.). @Mohsen, yes I do se that error when trying to log in twice using the same user in two different sessions. After logging the user out and than trying again the app starts as expected. I guess this behavior is expected, but perhaps an other message than “Not authorized to access this proxy” would be a good idea, e.g. “User already logged in”, or something?

Thanks!
Anders

fmichielssen · 2018-08-30 09:00:05 UTC

Hi @Anders, @Mohsen,

This could be a bug indeed. The intended behaviour is:

If two users access the same URL (e.g. /app/01_hello) from their browsers, each user should get their own shiny app running in a private container.
If a user accesses the same URL from 2 browser sessions, both sessions should direct the user to the same shiny app instance; it should not spawn 2 containers.
The message “Not authorized to access this proxy” should only appear if a user tries to access another user’s instance.

How did you perform these tests? Using different browsers, different tabs in the same browser, or incognito tabs?

Anders · 2018-08-30 10:16:15 UTC

OK, I’ve tried using both different browsers (on different computers) and using incognito sessions. Both cases requires logging in twice with the same user, and when the second “copy” of the user tries to access the /app/01_hello I see the “Not authorized …” error message.

In the same browser session (where I only need to log in once), however, everything is fine when opening. The user gets two instances of the app on the same container.

akenny · 2018-08-30 12:04:34 UTC

Also having a problem here.
Followed the steps here https://github.com/openanalytics/shinyproxy-config-examples/tree/master/02-containerized-docker-engine on ubuntu 16.04.

We logged in as the ‘jack’ user and opened the first application.
Then another person logged in as ‘jeff’ and opened the first application.

The second person got the ‘Not authorized to access this proxy’

So it looks like a bug in the 2.0.2 release

Mohsen · 2018-08-31 00:46:30 UTC

Hi @fmichielssen
This is the steps to reproduce the bug:

1. open two different sessions in two browser windows one normal, one incognito
2. browse to the shiny-proxy demo app on both session and login the same user, for example jack
3. run the hello-world app in one session
4. run the same hellop-world app in the other session
5. you will get the "Not authorized to access this proxy" error

So does indeed seem to be a bug.
I have submitted a bug report on github.

Mohsen · 2018-08-31 02:30:28 UTC

Hi @akenny
Are you sure about the reproduction steps? Different users caused this error?
I have explained the steps which reproduces the error for me here, but when logging in with different users in different sessions, I did not see any error.

Anders · 2018-08-31 11:45:45 UTC

This was the problem I originally saw but that was resolved by rebooting…

fmichielssen · 2018-08-31 13:50:52 UTC

Thanks all for providing your feedback. We have identified the issue and are preparing a fix.
Please keep an eye on https://github.com/openanalytics/shinyproxy/issues/85 for updates.

tverbeke · 2018-09-03 18:22:31 UTC

Hi @Anders, @Mohsen, @akenny,

Thanks for all feedback. ShinyProxy 2.0.3 (https://www.shinyproxy.io/downloads/) includes a fix for the reported issues.

Best,
Tobias

Mohsen · 2018-09-04 00:50:47 UTC

Hi @tverbeke
Thank you for the quick release fixing this issue.
I have checked and my quick tests show this to be behaving as expected now.
One other issue that I have noticed:
When the same user logs in from two separate sessions (let’s call them jack/session1 and jack/session2, and in one session you run the “Hello Application” app, there is a container started for jack/session1 which can be confirmed from the logs that is printed by shinyproxy. Then when jack/session2 runs the same “Hello Application” app, there is no indication of a new container being started. I suppose this means they are sharing the same container for both user/sessions.

I have noticed if I run the same app from the two user/sessions at very quickly at around the same time, only one will run and the other sometimes stays blank or gives a 404 error.

This is a screenshot of two user/sessions run at around the same time.

Going from the admin pages for the app, same container ID is shown for both user/sessions.

When logging in with different users, the behavior is as expected and two separate containers have been spun:

Is this by design? Maybe to make better use of resources?

One of the problems when I work with Shiny Server was that it is single threaded and therefore from separate sessions when running an app which takes few seconds to run, user1/session2 would need to wait until user1/session1 finished running the time consuming event. I expect similar thing will happen with ShinyProxy if that is the behavior as explained above. Is that a fair assumption?

Thanks

fmichielssen · 2018-09-04 06:10:02 UTC

Hi @Mohsen,

It is indeed by design that a single user gets a single container per app.
The only exception is authentication: none, where each session is considered a different ‘user’.

The 404 on quick access from 2 sessions appears to be a timing issue, we’ll look into this.

akenny · 2018-09-04 09:46:52 UTC

@tverbeke @fmichielssen Thanks! Can confirm that this fixes my issue

tverbeke · 2018-09-21 19:08:41 UTC

@Mohsen:

The timing issue has been solved in ShinyProxy 2.0.4: https://www.shinyproxy.io/downloads/

@akenny

For reference, the issue was not yet solved for OIDC authentication, but now is (ShinyProxy 2.0.4)

Best,
Tobias

Mohsen · 2018-09-24 01:26:45 UTC

Great news, thanks @tverbeke.