How to create Different User

I has finished install omnisci and jupyter using docker,

after its I need to create some user in omnisci, but If I create user and not using (is_super=true) my user cannot login omnisci, and if I using is_super=‘true’ my user can sell all file and container jupyterlab-{user} still using jupyterlab-admin.

can you give tutorial step by step to create user in omnisci?

Thank you,
Best Regards.
Dedy

Hi @dsugiarto ,

Non-super users need to have permissions assigned in order to access databases and all other objects, have a look at the docs here for assistance: https://docs.omnisci.com/installation-and-configuration/security/roles#database-object-privileges

Hi @dsugiarto,

to make users able to login to the default database you need to give them the right permission to connect with that database.

So after you create the user with the create user command, grant him at least the access privilege in the database, and to make him see the jupyterlab, you have to grant the omnisci_jupyter role you should have created during the installation.

As an example

Create user u_test (password = 'whatever');
Grant access,select on database omnisci to  u_test;
Grant omnisci_jupyter to u_test;

The users with omnisci_jupyter privileges should see the icon and open the Jupiter app.

Hi All,

Ok an non super user can use omnisci and jupyter, but another problem, if I user an user named userA and login to omnisci and access jupyterlab and create a docker container named jupyterlab-userA, but if I loggedout and I login with admin user and access jupyterlab, its still using jupyterlab-userA, and my jobs in jupyterlab-admin is lost, its right? or there’s something wrong? why my container named jupyterlab-admin is deleted?
thank you.

Best Regards,
Dedy

Hi @candido.dessanti and @jpharvey

Another questions and problem is my session in omnisci web page / immerse is too short, just about 1 minutes has timmed out, its can be extended? to about 20 minutes or 1 hour?

Thank You.
Best Regards,
Dedy

Hi @dsugiarto

With regards to the Jupyter issue, this is due to Immerse and Jupyter Lab not sharing the same logout function. If you wish to change users, it’s necessary to clear the cookies for the Immerse URL after logging out through the Immerse interface. It should also be possible to log out of Jupyter Lab as well (through the Lab interface) prior to logging out of Immerse. Note that even if the user is able to launch into the other user’s Jupyter Lab container, they will not be able to use the predefined OmniSci connection object con as the session would have been terminated by Immerse, so they should have no access to OmniSciDB as that user if it’s being used as designed.

Your Jupyter Lab container should keep running in the background if you log out, however if the Lab container is stopped for whatever reason then it is automatically removed - noting that the data is persisted since volumes are mounted for the locations in which data is saved and shared. Persisting the containers themselves is possible with a configuration option documented in the docker-compose.yaml (JLAB_CONTAINER_AUTOREMOVE), however it is highly not recommended as it almost always results in obscure messages later when attempting to start containers, and as noted they have been designed to persist all data so that the effect is as if the containers themselves persist. In your case the Admin container should still be running but I it sounds like the built-in con session might have been used. If so, as noted above, logging out of Immerse will destroy the shared session and any running jobs in Lab will then fail due to the invalid session - this will not stop the container though.

With regards to the low Immerse timeout, that timeout is not the default behavior. It could be that the idle-session-duration has been set to something very low from the default of 60 mins, ref here.

There is another situation where these types of symptoms can be observed, and that is if one is running multiple Immerse interfaces on different ports with the same IP/URL in the browser address bar. Eg. one on https://immerse.yourdomain.com:6273 and https://immerse.yourdomain.com:16273. In that case every time the browser is switched to the other instance the other one will be logged out (since the cookie domain is shared). If that’s the case, then either the IP can used for one of the urls, different browsers can be used, incognito / private mode can be used for one, or the name of the cookie can be set to different things between instances using the auth-cookie-name configuration parameter under the [web] section in omnisci.conf. It looks like that is not documented so we will ensure that it gets added to the docs.