boegel
commented
8 years ago By default, a random password of reasonable length should be used, but it should also be possible to set the password on submitting the cluster.
We should also try to avoid storing the passwords cleartext, I'm not sure how difficult that would be.
ehiggs
Currently the IPython notebooks use the fact that if someone is running a job on a node then they are the only ones able to log in to the node. And hence only they can make an ssh tunnel and hence access the web services (which have an IP mask to only allow local connections).
However, there is a loophole we didn't envision: in a classroom environment, users may be RDP'd into the same machine (e.g. a Windows machine) and if the class are all copy pasting instructions to make a tunnel with the same port, then the first person to make the tunnel holds the port and then everyone else can access their notebook server.
So we will add passwords to the books. The way I think this should be done is to add a new command:
hod status <label>orhod show <label>which will print information about a job. This information will basically be custom information that a dist can write to~/.config/hod.d/<label>/infoand includes things like the generated password for an IPython notebook, and maybe ports available for Hadoop.Alternatively, we could append to the
envscript sohod connect <label>will print it as part of the connection motd/preamble stuff.