hpcugent / hanythingondemand

hanythingondemand provides a set of scripts to easily set up an ad-hoc Hadoop cluster through PBS jobs
https://hod.readthedocs.org
GNU General Public License v2.0
12 stars 6 forks source link

IPython security improvements #126

Open ehiggs opened 9 years ago

ehiggs commented 9 years ago

Currently the IPython notebooks use the fact that if someone is running a job on a node then they are the only ones able to log in to the node. And hence only they can make an ssh tunnel and hence access the web services (which have an IP mask to only allow local connections).

However, there is a loophole we didn't envision: in a classroom environment, users may be RDP'd into the same machine (e.g. a Windows machine) and if the class are all copy pasting instructions to make a tunnel with the same port, then the first person to make the tunnel holds the port and then everyone else can access their notebook server.

So we will add passwords to the books. The way I think this should be done is to add a new command: hod status <label> or hod show <label> which will print information about a job. This information will basically be custom information that a dist can write to ~/.config/hod.d/<label>/info and includes things like the generated password for an IPython notebook, and maybe ports available for Hadoop.

Alternatively, we could append to the env script so hod connect <label> will print it as part of the connection motd/preamble stuff.

boegel commented 9 years ago

By default, a random password of reasonable length should be used, but it should also be possible to set the password on submitting the cluster.

We should also try to avoid storing the passwords cleartext, I'm not sure how difficult that would be.

ehiggs commented 7 years ago

@boegel you can unassign me. :)