tmpnb
tmpnb copied to clipboard
jupyter
Google Drive Integration
@rgbkrk @ptone @Carreau
This issue is to get the ball rolling on Google Drive integration to tmpnb.
@rgbkrk and me have discussed security and other issues, and we have figured out two milestones.
- A (possibly) sufficiently secure temporary solution: a) Use cookie authentication for users, so a user can only log onto their own kernels and content. b) Sandboxed iframes and no widgets. This won't fully protect a user from the kernel (since the kernel runs in the same machine that serves the front end javascript) but it does protect the user from JavaScript from other people's notebooks.
- A secure system with a better design than current tmpnb:
- Separate the kernel from the webserver.
- Kernel API, contents API, kernel spec API (and clusters API?) all served from the per-user kernel.
- Notebook webpage, tree view, all served from a single website that also manages sessions.
- The session manager manages the mapping from users/kernels to machines.
- The security of this model relies on no vulnerabilities of the front end to the kernel API, contents API, etc. E.g. the contents API should not be able to inject javascript via error messages. This should already be the case.
We are trying to get 1. done during the sprints. Kyle will do (a) and I will start (b) by creating some sample code (modifying IPython code directly) for iframe sandboxing and disabling widgets. @ptone, once I've done this, would you be able to work with @rgbkrk to make this configurable (hopefully with minimal changes upstream) instead of by directly changing IPython code?
That's a great summary, thank you @KesterTong.
It didn't occur to me you were hoping that we could do the iframe sandboxing in a configurable way. I'm not sure how that's going to work, but we can figure it out as we go. I'm guessing it will end up as a notebook extension that also overrides some of the jinja templates.
Thanks @rgbkrk.
I'm going to backpeddle a bit on configurability. It seems like the "isolated" iframes options doesn't help much, so we need https://github.com/ipython/ipython/pull/6148. I think that only the first two commits from that PR are needed, @jdfreder is that right? I believe the rest of the commits are for widgets, which for now we are just going to disable.
Hey @KesterTong ,
I'd use the first three, which includes https://github.com/jdfreder/ipython/commit/aa41c4f7c7020b63ddc78fc3c87bb1a7c97cfd74 .
To disable the widgets, remove https://github.com/ipython/ipython/blob/3.x/IPython/html/static/services/kernels/kernel.js#L10 https://github.com/ipython/ipython/blob/3.x/IPython/html/static/services/kernels/kernel.js#L58
This will disable the widgets from loading in the front-end. There will still be a "widget area" div, not visible to the user. Don't worry about this, but if it does bug you, you can remove it: https://github.com/ipython/ipython/blob/3.x/IPython/html/static/notebook/js/codecell.js#L179
And the append here https://github.com/ipython/ipython/blob/3.x/IPython/html/static/notebook/js/codecell.js#L211
Related methods https://github.com/ipython/ipython/blob/3.x/IPython/html/static/notebook/js/codecell.js#L211 https://github.com/ipython/ipython/blob/3.x/IPython/html/static/notebook/js/codecell.js#L255 https://github.com/ipython/ipython/blob/3.x/IPython/html/static/notebook/js/codecell.js#L267
I'm working on having jupyter-drive work on the new splitted repo. right now.
I guess if we only enable tmpnb for file created with it, it should already be pretty secure.
@jdfreder thanks for the info. @Carreau I would prefer some kind of protection from notebooks shared by others. However, since iframes might not be the only approach. @rgbkrk What are the options for getting the usual trust mechanism to work with tmpnb? Is there a place to store a private key, and get users to sign notebooks that they author (this will stop someone they've shared it with from editing it later without the user noticing)?