search

grst / rstudio-server-conda

Run Rstudio Server in a conda environment
MIT License
236 stars 49 forks source link

No Authentication #3

Open jdhayes opened 5 years ago

jdhayes commented 5 years ago

This is awesome and exactly what I need! However, when running RStudio Server as a non root user, it seems to bypass the login page. This is a big security risk for multi users systems. Is there a way to have authentication functional by still running RStudio Server as a non root user?

grst commented 5 years ago

As far a I am aware, it still authenticates, but re-uses the cookies from previous R studio sessions.

Clear your cookies or use a private tab to confirm. Cheers, G.

On Wed, Oct 16, 2019, 18:56 Jordan Hayes notifications@github.com wrote:

This is awesome and exactly what I need! However, when running RStudio Server as a non root user, it seems to bypass the login page. This is a big security risk for multi users systems. Is there a way to have authentication functional by still running RStudio Server as a non root user?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/grst/rstudio-server-conda/issues/3?email_source=notifications&email_token=ABVZRVZYKXRCIU2RMV5BOJ3QO5BSPA5CNFSM4JBOICBKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HSHCSSQ, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVZRV62W3K37DFM767NMRTQO5BSPANCNFSM4JBOICBA .

jdhayes commented 5 years ago

Oh, yes I had used a incognito tab and was still able to gain access, bypasses the login page. Even when I logout, it brings me to the login page, however if I just remove the "auth-sign-in" part of the URL, it allows access without authentication. I believe this may have something to do with the default for "--auth-none" flag is 1. So, this means it will not authenticate by default. I turned this flag off, but now I am not able to login with the Linux user name and password. Perhaps this is not related to how I am running RStudio server, but rather how I installed it? I installed RStudio server as a non-root user.

grst commented 5 years ago

Thanks for investigating! I can reproduce that on my current system. I am a bit confused because I could have sworn that I had to authenticate using this method on a different system.

Let me know if you find something out!

jarach commented 4 years ago

I'm also interested in solution for secure multi-user environment. In may case, when I set --auth-none flag to 0 the login page doesn't appear - I'm getting connection error rather than login page.

Thanks

jdhayes commented 4 years ago

I had opened an issue with RStudio people, but was ignored. So I ended up using this: https://github.com/nickjer/singularity-rstudio Which runs RStudio server within a container and allows you to set your own password within an environment variable. Of course singularity needs to be installed, but seems to work perfect for our needs.

jdhayes commented 4 years ago

Ah, ha! This is more simple than I thought. You can add a simple password auth to any rstudio-server install, as long as you put rstudio_auth in your PATH and then set your RSTUDIO_PASSWORD variable when starting the server.

Something like this should work:

# Download simple authentication
wget -O /wherever/you/installed/rstudio-server/bin/rstudio_auth https://raw.githubusercontent.com/nickjer/singularity-rstudio/27acb82cbc14796f341c4d3e7bde69fa55d98e91/rstudio_auth.sh

# Ensure execute permissions
chmod a+rx /wherever/you/installed/rstudio-server/bin/rstudio_auth

# Run rstudio server with password on the same line
RSTUDIO_PASSWORD="password" rserver \
  --auth-none 0 \
  --auth-pam-helper rstudio_auth
grst commented 4 years ago

Neat :) Do you want to put a PR together?

On Wed, 11 Mar 2020, 23:08 Jordan Hayes, notifications@github.com wrote:

Ah, ha! This is more simple than I thought. You can add a simple password auth to any rstudio-server install, as long as you put rstudio_auth in your PATH and then set your RSTUDIO PASSWORD variable when starting the server.

Something like this should work:

Download simple authentication

wget -O /wherever/you/installed/rstudio-server/bin/rstudio_auth https://raw.githubusercontent.com/nickjer/singularity-rstudio/27acb82cbc14796f341c4d3e7bde69fa55d98e91/rstudio_auth.sh

Ensure execute permissions

chmod a+rx /wherever/you/installed/rstudio-server/bin/rstudio_auth

Run rstudio server with password on the same line

RSTUDIO_PASSWORD="password" rserver --auth-none 0 \ --auth-pam-helper rstudio_auth

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/grst/rstudio-server-conda/issues/3#issuecomment-597902197, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVZRV5G6AY5O3UYJFYCJI3RHADXHANCNFSM4JBOICBA .

gponce-ars commented 4 years ago

Hi,

I followed the suggestions by @jdhayes but not sure why I still geting the error msg: Unable to connect to service

image

And in the terminal I can see the log of rserver and I see the msg below every time I try to access localhost:8787:

26 May 2020 07:12:00 [rserver] ERROR system error 111 
(Connection refused) [request-uri: /rpc/client_init]; OCCURRED AT void 
rstudio::core::http::LocalStreamAsyncClient::handleConnect(const 
rstudio_boost::system::error_code&) src/cpp/server/ServerSessionProxy.cpp:119; 
LOGGED FROM: void rstudio::server::session_proxy::
{anonymous}::logIfNotConnectionTerminated(const rstudio::core::Error&, const 
rstudio::core::http::Request&) src/cpp/server/ServerSessionProxy.cpp:382

Below is what I have in the start_rstudio_server.sh Any hint?

#!/bin/bash

##############################################
# USAGE: ./start_rstudio_server <PORT>
#   e.g. ./start_rstudio_server 8787
##############################################

CWD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
USER=`whoami`
# set a user-specific secure cookie key
COOKIE_KEY_PATH=/tmp/rstudio-server/${USER}_secure-cookie-key
rm -f $COOKIE_KEY_PATH
mkdir -p $(dirname $COOKIE_KEY_PATH)

python -c 'import uuid; print(uuid.uuid4())' > $COOKIE_KEY_PATH
# uuid > $COOKIE_KEY_PATH
chmod 600 $COOKIE_KEY_PATH

# store the currently activated conda environment in a file to be ready by rsession.sh
CONDA_ENV_PATH=/tmp/rstudio-server/${USER}_current_env
rm -f $CONDA_ENV_PATH
echo "## Current env is >>"
echo $CONDA_PREFIX
echo $CONDA_PREFIX > $CONDA_ENV_PATH

export RETICULATE_PYTHON=$CONDA_PREFIX/bin/python

RSTUDIO_PASSWORD="password" /usr/lib/rstudio-server/bin/rserver --server-daemonize=0 \
  --www-port=$1 \
  --secure-cookie-key-file=$COOKIE_KEY_PATH \
  --rsession-which-r=$(which R) \
  --rsession-ld-library-path=$CONDA_PREFIX/lib \
  --rsession-path="$CWD/rsession.sh"
  --auth-none 0 \
  --auth-pam-helper rstudio_auth
syu-id commented 4 years ago

Hi, I successfully used @jdhayes's solution to run the server with a non-root user and a custom password.

My configuration:

start_rstudio_server.sh

/usr/lib/rstudio-server/bin/rserver --server-daemonize=0 \
  --auth-none 0 \
  --auth-pam-helper-path /path/to/rstudio_auth.sh \
  # other options ...

rstudio_auth.sh

wget https://raw.githubusercontent.com/nickjer/singularity-rstudio/master/rstudio_auth.sh
chmod 755 rstudio_auth.sh

After the comment "Confirm username is supplied", change if [[ $# -ne 1 ]] to if [[ $# -lt 1 ]] I found RStudio Server actually passes three arguments to the auth script: <USER> rstudio 1

# Confirm username is supplied
if [[ $# -lt 1 ]]; then
  echo "Usage: auth USERNAME"
  exit 1
fi

I store my password in ~/.rstudio_mypsw and run the server like this (in a conda environment):

RSTUDIO_PASSWORD="$(cat ~/.rstudio_mypsw)" ./start_rstudio_server.sh 8787
grst commented 3 years ago

I now added instructions how to use a containerized rstudio (rocker/rstudio) with conda envs. With that approach authentication works.

mecalderon commented 2 years ago

I got this error:

1

2

Some help?

Thanks!

grst commented 1 year ago

@mecalderon, your error seems unrelated to the authentication issue.

line 18: conda: command not found

suggests that conda isn't set up properly on your system. Please open a separate issue if (re-)installing conda doesn't fix your problem.

moxgreen commented 11 months ago

Do the solution proposed by @syu-id work on a simple conda environment, without containers? Why it is not ported on https://github.com/grst/rstudio-server-conda/tree/master/local/start_rstudio_server.sh ?

YinAoXiong commented 6 months ago

Hi, I successfully used @jdhayes's solution to run the server with a non-root user and a custom password.

My configuration:

start_rstudio_server.sh

/usr/lib/rstudio-server/bin/rserver --server-daemonize=0 \
  --auth-none 0 \
  --auth-pam-helper-path /path/to/rstudio_auth.sh \
  # other options ...

rstudio_auth.sh

wget https://raw.githubusercontent.com/nickjer/singularity-rstudio/master/rstudio_auth.sh
chmod 755 rstudio_auth.sh

After the comment "Confirm username is supplied", change if [[ $# -ne 1 ]] to if [[ $# -lt 1 ]] I found RStudio Server actually passes three arguments to the auth script: <USER> rstudio 1

# Confirm username is supplied
if [[ $# -lt 1 ]]; then
  echo "Usage: auth USERNAME"
  exit 1
fi

I store my password in ~/.rstudio_mypsw and run the server like this (in a conda environment):

RSTUDIO_PASSWORD="$(cat ~/.rstudio_mypsw)" ./start_rstudio_server.sh 8787

Now it seems that we only need to add

--auth-none 0 \

You can log in using your original account and password.

Add

--auth-pam-helper-path /path/to/rstudio_auth.sh \

will prevent me from logging in