ports for jupyter notebooks
30 views
Skip to first unread message
lheck
May 8, 2017, 8:59:32 AM5/8/17
to Project Jupyter
Dear jupyter developers.
I am the manager of a large HPC system and users have requested and received a central jupyter installation.
Today two users alerted me to two different issues:
(a) the ports are not user specific, but system specific
(b) with these ports being system specific there is a security issue:
without being alerted or identified the system asks for the user's password on attaching to the notebook
and if no password is set in the jupyter setup, any user can access that notebook.
The former is troublesome, as different users do not know what ports are already used. This can lead to confusion. Is there a means of controlling this on system level?
The latter (b) poses a security risk. Is there a means of enforcing a password or linking the jupyter password to the user's system password?
I am a total newbie of using jupyter and if there are answers in the documentation to the questions, could you please point me to them?
If not, are there possible answers?
I am the manager of a large HPC system and users have requested and received a central jupyter installation.
Today two users alerted me to two different issues:
(a) the ports are not user specific, but system specific
(b) with these ports being system specific there is a security issue:
without being alerted or identified the system asks for the user's password on attaching to the notebook
and if no password is set in the jupyter setup, any user can access that notebook.
The former is troublesome, as different users do not know what ports are already used. This can lead to confusion. Is there a means of controlling this on system level?
The latter (b) poses a security risk. Is there a means of enforcing a password or linking the jupyter password to the user's system password?
I am a total newbie of using jupyter and if there are answers in the documentation to the questions, could you please point me to them?
If not, are there possible answers?
Thomas Kluyver
May 8, 2017, 9:14:30 AM5/8/17
to Project Jupyter
Hi Lydia,
On 8 May 2017 at 13:59, lheck <lydia...@gmail.com> wrote:
The latter (b) poses a security risk. Is there a means of enforcing a password or linking the jupyter password to the user's system password?
There are two parts of the answer here:
1. Since notebook 4.3, users without a password set are automatically secured by a randomly generated token to mitigate this risk. It's not strictly enforced - you can still configure it to use no security - but it's more secure by default. So upgrading your users to any version since 4.3 should improve matters easily.
2. If you're running a central, multi-user Jupyter installation, you should look at JupyterHub (http://jupyterhub.readthedocs.io/en/latest/ ), which is designed for precisely this use case. It can integrate with system logins for authentication, or with institutional single-sign on systems.
Best wishes,
Thomas
Matthias Bussonnier
May 8, 2017, 12:21:52 PM5/8/17
to jup...@googlegroups.com
Thanks Thomas for the response !
Also as a side note, if you have any security concerns or thought you
have found any security vulnerability that you do not want to disclose
publicly, feel free to write to ipython-...@googlegroups.com.
Thanks
--
Matthias
> --
> You received this message because you are subscribed to the Google Groups
> "Project Jupyter" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jupyter+u...@googlegroups.com.
> To post to this group, send email to jup...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jupyter/CAOvn4qh4Dj5ixLO3%3DWNjJuCO7eqBEMpX%2Bz5eSAJOOgPez_2r5g%40mail.gmail.com.
>
> For more options, visit https://groups.google.com/d/optout.
Also as a side note, if you have any security concerns or thought you
have found any security vulnerability that you do not want to disclose
publicly, feel free to write to ipython-...@googlegroups.com.
Thanks
--
Matthias
> You received this message because you are subscribed to the Google Groups
> "Project Jupyter" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jupyter+u...@googlegroups.com.
> To post to this group, send email to jup...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jupyter/CAOvn4qh4Dj5ixLO3%3DWNjJuCO7eqBEMpX%2Bz5eSAJOOgPez_2r5g%40mail.gmail.com.
>
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages