Codestin Search App

Nathanael (Nate) Maytan (nmaytan) · 2025-11-18T22:11:24Z

Summary of changes so far:

Keys in Redis are now always prefixed, even if there is no endstation ("fixes" greedy key ingestion that happens otherwise)
The beamline and endstation acronyms are taken from the system environment, so that they don't have to be provided (but are overridable, as this won't work in some cases such as SST/SST1/SST2)
Added facility parameter throughout to set us up for future LBMS support (still needs other work to actually function)

Multiple proposals can now be activated at the same time, to support cases like at SMI where they interleave experiments. This is put in a new key md['data_sessions_authorized']
Now that multiple proposals can be activated, we can enable switching proposals in a way that doesn't bypass auth as extremely -> switch_proposal let's you rotate through any proposals that are currently activated
Adds the ability to switch between authorized proposals from the CLI

Auth is totally Tiled-based, no more LDAP calls. This is done using password_grant only for now, but could use any auth flow that Tiled supports (sets us up for the future, i.e. OIDC)
An API key is generated when sync-experiment runs, reducing the need to have multiple logins (API key will be used for subsequent Tiled clients)
~~API keys are cached in Redis and managed with a priority queue based on expiration date. Keys are set to expire after 7 days.~~
~~5 keys can be cached at a time - each combination of username + proposal list counts as a new key~~
~~Only one API key is left unencrypted at a time, and it is put in Redis under a specific key so that it can be retrieved from other applications without decrypting it~~
~~The rest of the cached keys remain encrypted in Redis until they are needed~~
UPDATE: caching of API keys has been removed. Now, a single API key is stored in Redis unencrypted.
Syncing or unsyncing the experiment now revokes the currently active API key (if one is found). If syncing, it is replaced with a new key.
Generated keys are set to expire after 7 days.

Adds the ability to "unsync" (logout) of an experiment

Nathanael (Nate) Maytan (nmaytan) · 2025-11-22T03:06:18Z

This will close #189. A few touch-ups still needed. We also agree that we need a "desync experiment" command. This has been discussed before, but is now even a bit more useful when using API key for auth (effectively can work like a logout)

Experiments (proposals) are "authorized". Then, one of the authorized experiments is "activated". Multiple proposals may be authorized at the same time, but only one proposal can be active at a time. This should make more clear what the tool is doing, and how the policy works, as opposed to before (authorize/activate vs activate/select or activate/load). Includes some other minor word fixes.

…ormalized_beamline

Eugene (genematx) · 2025-12-01T15:50:53Z

-        "/v1/facility/nsls2/cycles/current"
-    ).raise_for_status()
-    return cycle_response.json()["cycle"]
+    print(


Do we have a proper logger for this already? I guess, printing is okay still.

A reflection on this: in its current implementation, this is a CLI tool (+callable from Python). I typically don't expect tools I call from terminal to print to syslog, for example. That is, unless I'm doing something with services, which this tool isn't exactly quite yet. It does set information in Redis for us, maybe that is sort of service like, but I'm not bought in.

Not to say that using a logger for this == we have to put things in syslog, but thinking in terms of intent/patterns. I don't think I'd expect this version of the tool to be logging. And I'm also not sure I'd put Redis metadata in the logs on random workstations.

Also, when I call verbose with a terminal command I'm expecting more stdout/stderr to appear in the stream. Sometimes that is also logged, but I don't expect it to mean "turn on logging".

So, I think I favor that this remains a print for now.

Nathanael (Nate) Maytan (nmaytan) · 2026-04-14T00:44:57Z

Updated to greedily revoke the existing API key rather than cache+rotate, enabled by the revoke:apikeys scope we added in Tiled for this purpose. This simplifies the tool quite a bit (no encryption needed and no priority queue in Redis).

This also gets us closer to ready for OIDC, where we wouldn't have had a password to encrypt the keys with. Probably just two more things needed?

remove the internal mode check when creating the context
move the username/password prompt out of the way

Tested current changes and seems to work well. More to come for OIDC when available to test with.

edit: also need to change root_node tag -> beamline tag when then change goes through server-side

Thomas Hopkins (thopkins32) · 2026-04-23T18:11:35Z

Nathanael (Nate) Maytan (@nmaytan) Can you try to merge this soon? We need ESM arpes to be on a new release of nslsii

Nathanael (Nate) Maytan (nmaytan) added 4 commits November 18, 2025 17:10

Draft of Tiled-based sync-experiment

eb7650d

Cleanups

5231bdc

Smoothing out wrinkles

6ea4e83

Update requirements.txt

fcc593c

Eugene (genematx) reviewed Nov 21, 2025

View reviewed changes

Comment thread nslsii/sync_experiment/sync_experiment.py Outdated

Comment thread nslsii/sync_experiment/sync_experiment.py Outdated

Nathanael (Nate) Maytan (nmaytan) added 2 commits November 21, 2025 16:24

Add catalog root node tags to API keys

c61b6cb

Upper the beamline in the root node tag

8f6679e

Nathanael (Nate) Maytan (nmaytan) added 8 commits November 25, 2025 16:56

Treat decrypt failure as missing key

9e25134

Fix vars in cache PQ

1a03caf

Add note about duo prompt to login message

508fe78

Add unsync_experiment, update switch_proposal, correct use cases of n…

b4392f0

…ormalized_beamline

Sort data_sessions used for Redis keys to ensure determinism

d792570

Make switch_proposal work from CLI

a16874b

Fix method name for authz check

7dd2cd8