bobbai00 opened a new pull request, #3931: URL: https://github.com/apache/texera/pull/3931
## Summary - Add web-based terminal access to Computing Units using ttyd - Users can now open a shell interface to their CUs through the web UI - Enables installation of custom libraries, debugging, and environment inspection ## Related Issue Closes #3930 ## Solution Overview This PR implements SSH-like terminal access to Computing Units by integrating ttyd (terminal over HTTP/WebSocket) into the computing unit infrastructure. ### Backend Changes **1. Computing Unit Master Dockerfile** (`bin/computing-unit-master.dockerfile`) - Install ttyd package for web-based terminal functionality - Run ttyd on port 7681 alongside the computing unit master process - Expose port 7681 for terminal access **2. Kubernetes Service Configuration** (`bin/k8s/templates/workflow-computing-units-service.yaml`) - Add `ttyd` port (7681) to the service definition with proper port name - Enable network routing to terminal endpoints **3. Envoy Proxy Configuration** (`bin/k8s/templates/envoy-config.yaml`) - Add routing rules for `/wsapi/cu-ssh` endpoint - Configure proxy_pass to computing unit terminal services - Route terminal WebSocket connections to appropriate CU pods **4. Access Control Integration** - Verify user permissions through access control service - Use JWT tokens for authentication in terminal URLs ### Frontend Changes **1. Computing Unit SSH Service** (`computing-unit-ssh.service.ts`) - Generate terminal URLs with proper authentication tokens - Include user ID (uid) and computing unit ID (cuid) parameters - Attach JWT access token for secure access **2. Computing Unit Selection Component** - Add UI controls to open terminal for each Computing Unit - Display terminal interface (via iframe or modal) - Show terminal connection status ## Technical Implementation The solution uses **ttyd** which provides a terminal over HTTP/WebSocket: - Terminal runs inside each computing unit master pod - Accessed via `/wsapi/cu-ssh` endpoint with authentication - Envoy proxy handles routing based on computing unit ID - WebSocket connection maintained for real-time terminal interaction **Terminal Access Flow:** 1. User clicks "Open Terminal" for a specific CU in the UI 2. Frontend generates terminal URL with uid, cuid, and JWT token 3. Request goes through Envoy proxy to `/wsapi/cu-ssh` 4. Envoy routes to the appropriate CU pod on port 7681 5. ttyd serves terminal interface over WebSocket 6. User can execute commands in the CU environment ## Benefits **For Users:** - Install custom Python/R packages on-demand without rebuilding images - Debug workflow execution issues by inspecting logs and processes - Verify environment configuration and installed dependencies - Run custom scripts and ad-hoc commands - Greater flexibility and control over execution environment **For System:** - No need to pre-install all possible libraries in base images - Faster development iteration - Better troubleshooting capabilities - Enhanced user autonomy ## Security - Terminal access requires valid JWT authentication token - Users can only access CUs they have permissions for - Access control enforced through existing authorization mechanisms - Terminal sessions scoped to specific computing unit pods ## Test Plan - [ ] Verify terminal opens for authorized users - [ ] Test that users cannot access CUs they don't own - [ ] Confirm custom package installation works (pip install, apt-get) - [ ] Validate terminal WebSocket connection stability - [ ] Test Envoy routing to correct CU pods - [ ] Verify authentication token validation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
