WebUI authentication

[Markus92]

What would you like to be added:
Some form of authentication to the WebUI when running on shared resources or less trusted networks. For example, password authentication (can be set in the config yml) or the same way Jupyter does it: using a token.

Why is this needed:
The WebUI exposes many settings but some, like killing tasks or changing concurrency, you don't want unauthenticated users to be able to change these settings. As by default the interface is exposed on the remote IP there is no authentication possibler.

Without this feature, how does current nni work：
Malicious actors that can access the WebUI can kill or cripple my AutoML job.

Components that may involve changes:
WebUI

Brief description of your proposal if any:
Something similiar to Jupyter would be amazing: at the moment you create a job, a token will be shown. You enter the token, it will place a cookie and you can access WebUI.

[scarlett2018]

Thanks @Markus92 for this requirement, the scenario is reasonable and very helpful.

We'd like to put it in our backlog, but as our recent planned features are majorly focus on the scenarios that taking "trust networks" as an assumption. We might not able to work this for a while. Would you like to contribute this feature?

[Markus92]

Thanks for your response, it's fully reasonable that this is a lower priority feature. I might be able to help on this, but this will in October the earliest.

Would it be a problem, licensing-wise, if I re-use part of the Jupyter implementation? They are licensed under the modified 3-clause BSD license, which seems very similar to your MIT license.

[scarlett2018]

@Markus92 - To keep it simple, would you like to implement this feature as an independent component? And as MIT license software, we can have dependent and usage on external 3-clause BSD license components/libs.

[scarlett2018]

@Markus92 - To keep it simple, would you like to implement this feature as an independent component? And as MIT license software, we can have dependent and usage on external 3-clause BSD license components/libs.

@Markus92 any comments?

[Markus92]

@scarlett2018 Hi I unfortunately made that comment before looking at your code, and didn't realize it's mostly Node/TS which I have zero experience with unfortunately. It might take me some time before I'm familiar enough with it to be able to contribute a decent patch, sorry about that.

[scarlett2018]

@scarlett2018 Hi I unfortunately made that comment before looking at your code, and didn't realize it's mostly Node/TS which I have zero experience with unfortunately. It might take me some time before I'm familiar enough with it to be able to contribute a decent patch, sorry about that.

No worries, take your time =)!