Blocking copy/paste functionality to JupyterHub
68 views
Skip to first unread message
Jujaga
Feb 19, 2018, 3:22:44 PM2/19/18
to jup...@googlegroups.com
Hi all,
Our group is currently leveraging zero-to-jupyterhub-k8s in order to provide Notebooks to a multi-user environment via Kubernetes. However, we also have a business requirement where we must prevent users from copying information out of the Notebooks, as well as preventing the insertion of code and other information into the Notebooks. We want to effectively block any textual information to and from the client's browser while still maintaining their ability to use the Notebooks.
We were wondering if there exists a method of achieving this? We are more than happy to provide more information and context as needed.
Thanks in advance,
Jeremy
--
Jeremy Ho
Software Engineer
Our group is currently leveraging zero-to-jupyterhub-k8s in order to provide Notebooks to a multi-user environment via Kubernetes. However, we also have a business requirement where we must prevent users from copying information out of the Notebooks, as well as preventing the insertion of code and other information into the Notebooks. We want to effectively block any textual information to and from the client's browser while still maintaining their ability to use the Notebooks.
We were wondering if there exists a method of achieving this? We are more than happy to provide more information and context as needed.
Thanks in advance,
Jeremy
--
Jeremy Ho
Software Engineer
Matthias Bussonnier
Feb 20, 2018, 1:17:24 PM2/20/18
to jup...@googlegroups.com
Hello Jeremy,
Thanks for your question,
A few Questions: is copy and past the only thing you want to block ? Do you sill want users to be able to modify notebooks by typing ? Is the a specific requirement/certification you need to have ?
A couple of clarification as well: JupyterHub act only as a proxy it is likely note JupyterHub, but Jupyter notebook itself that you will need to patch/configure to do so. It is not baked in but you probably can use extensions mechanism to do that.
There are ways in Javascript to prevent copy pasting, for example:
document.addEventListener('copy', function(e){
e.clipboardData.setData('text/plain', 'NO');
e.preventDefault(); // We want our data, not data from any selection, to be written to the clipboard
});
Will listen for copy events and replace the Data by "NO", you can also ping a custom URL to log when users are trying to copy.
Adapt for past events as well.
For the classic notebook you can either build that as an extension, or put it in users's `custom.js` (which I guess you will have control over)
Does that make some sens ?
--
Matthias
--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscribe@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAFMFVKuekm25o7gP0g2qTeDrGSeAP-WPVjBp2nsKWB4B3M4USw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Jeremy Ho
Feb 20, 2018, 7:41:12 PM2/20/18
to Project Jupyter
Hi Matthias,
Thank you for your response. For some background context, the notebooks will have access to sensitive data sources that we don't want to have leaving the notebooks, and we also don't want to have users can inserting their own content into the environment.
Blocking copy and paste is one of the main features that we wish to achieve. Essentially, we would like to ensure that a JupyterHub notebook user is able to use and modify their notebooks at will normally (via typing, clicking and normal keystrokes), but disallow them from inserting or removing data to and from said notebooks via copy/paste. Additionally, we would like to prevent the the mouse right click or equivalent keyboard event as well.
In the meantime, I will go ahead and take a look at inserting the Javascript example solution you have provided into the Jupyter Notebook image and evaluate if it meets our requirements. I will also experiment with additional Javascript code in that js file intercepting other events (equivalent to right click) in addition to Clipboard event. If you have any other ideas or suggestions, please let me know.
Thanks again,
Jeremy
Thank you for your response. For some background context, the notebooks will have access to sensitive data sources that we don't want to have leaving the notebooks, and we also don't want to have users can inserting their own content into the environment.
Blocking copy and paste is one of the main features that we wish to achieve. Essentially, we would like to ensure that a JupyterHub notebook user is able to use and modify their notebooks at will normally (via typing, clicking and normal keystrokes), but disallow them from inserting or removing data to and from said notebooks via copy/paste. Additionally, we would like to prevent the the mouse right click or equivalent keyboard event as well.
In the meantime, I will go ahead and take a look at inserting the Javascript example solution you have provided into the Jupyter Notebook image and evaluate if it meets our requirements. I will also experiment with additional Javascript code in that js file intercepting other events (equivalent to right click) in addition to Clipboard event. If you have any other ideas or suggestions, please let me know.
Thanks again,
Jeremy
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
Matthias Bussonnier
Feb 21, 2018, 1:39:47 PM2/21/18
to jup...@googlegroups.com
Thanks Jeremy,
On 20 February 2018 at 16:41, Jeremy Ho <juj...@gmail.com> wrote:
Hi Matthias,
Thank you for your response. For some background context, the notebooks will have access to sensitive data sources that we don't want to have leaving the notebooks, and we also don't want to have users can inserting their own content into the environment.
Blocking copy and paste is one of the main features that we wish to achieve. Essentially, we would like to ensure that a JupyterHub notebook user is able to use and modify their notebooks at will normally (via typing, clicking and normal keystrokes), but disallow them from inserting or removing data to and from said notebooks via copy/paste. Additionally, we would like to prevent the the mouse right click or equivalent keyboard event as well.
I'm wondering if asking the users not to change the dataset might not be better handled by changing data permission either on a file system on with Read-Only credential.
In the meantime, I will go ahead and take a look at inserting the Javascript example solution you have provided into the Jupyter Notebook image and evaluate if it meets our requirements. I will also experiment with additional Javascript code in that js file intercepting other events (equivalent to right click) in addition to Clipboard event. If you have any other ideas or suggestions, please let me know.
One additional feature you might want to do, for example to prevent screenshot, is to blank the window when it loses focus.
I can't guarantied that any of these features can't be worked around though.
--
Matthias
Thanks again,
Jeremy
Michael Milligan
Feb 21, 2018, 2:28:42 PM2/21/18
to jup...@googlegroups.com
Hi Jeremy,
Your original question made it sound like you might be using the notebook purely as a dashboard interface with some level of point-and-click interactivity. This should be doable using the advice you have already received, provided you have good control of your users work environment. If you do not, then you must consider that any restrictions implemented in client-side JS can be circumvented by browser extensions. This is before you even consider the screenshot hole, which lately also includes cell phone photos of the screen.
Now that you have added the requirement that users be able to input and execute normal code cells, you may need to rethink your security model even further. A few lines of Python is quite adequate to upload a dataset to an outside server, load new JS code into the browser, or make arbitrary changes to locally writable files. In the general case, preventing data exfiltration is a hard problem, even with very strict controls on the users.
My advice, based on my organization's work to build a system with similar requirements, is this: if you want to use a system as flexible as Jupyter, forget about detailed control of how your users interact with data. Instead, focus your technical effort on detailed logging of which users have been given access to which data, educate your users about acceptable data use, and make it crystal clear that they will be held accountable if data is mishandled.
Regards,
Michael
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/09c7c325-e45f-4f7a-9d4f-69a4eb5a8ed7%40googlegroups.com.
Roland Weber
Feb 22, 2018, 2:43:54 AM2/22/18
to Project Jupyter
Hello Jeremy.
Blocking copy and paste is one of the main features that we wish to achieve. Essentially, we would like to ensure that a JupyterHub notebook user is able to use and modify their notebooks at will normally (via typing, clicking and normal keystrokes),
When I write code, I normally copy&paste longer variable names. Or functions I use more than once. Or import statements, where the path remains the same and only the name at the end changes. Disabled copy&paste would make me feel thrown back into the age of typewriters. Let's hope I'm not representative of your user base, which will have to type out every occurrence of every variable and function name, fully qualified.
but disallow them from inserting or removing data to and from said notebooks via copy/paste. Additionally, we would like to prevent the the mouse right click or equivalent keyboard event as well.
This is to prevent users from looking at the HTML source? Make sure to disable menu items that provide access to this feature, or that allow to save the current page as HTML. The notebook edit page is probably not stored in the browser cache, but you might want to double-check that.
The people that gave you these requirements are aware that users can still type everything they read into a second computer, or make "screenshots" with a mobile phone? Disabling copy&paste doesn't stop anyone from getting data out of the system. It only makes that slightly more inconvenient, while at the same time compromising convenience for the intended use of the system as well. Folks who want to steal your data won't mind the extra hurdle very much. But folks who have to work with the system on a daily basis will.
cheers,
Roland
Reply all
Reply to author
Forward
0 new messages