search

jupyter / dashboards_server

[RETIRED] Server that runs and renders Jupyter notebooks as interactive dashboards
Other
181 stars 48 forks source link

Unable to call client-side IPython.notebook.kernel #309

Closed rs2 closed 7 years ago

rs2 commented 7 years ago

Client side js: IPython.notebook.kernel._wsUrl points to the nodejs host:port rather than kg_host:kg_port.

This prevents client-side js calls to Python kernels, which work as expected in the notebook of the form:

%%js
IPython.notebook.kernel.execute("my_var = 'barbaz'");
# Next cell
print(my_var)

Also IPython.notebook.kernel.ws_url is available in the notebook, but not dashboard.

The error is: kernel.js:1076 Connection lost, reconnecting in 1 seconds.

parente commented 7 years ago

Client-side JS is explicitly forbidden from sending code to the kernel. This is a design decision for security where the user of the dashboard is unknown and cannot necessarily be trusted.

If you're looking for a library that does allow arbitrary code to be sent from the browser to a kernel, Thebe is one place to look. https://github.com/jupyter-incubator/dashboards_server/wiki/Relation-to-Thebe

rs2 commented 7 years ago

PP> Client-side JS is explicitly forbidden from sending code to the kernel.

Would it be a good idea to make the error more informative? Seeing Connection lost, reconnecting in 1 seconds. does not make it clear that executing Python from client side is prohibited by dashboards-server, but is allowed by Jupyter notebooks.

Is there an alternative approach for injecting arguments into a notebook, e.g. using bbq?

Is there perhaps a way to authenticate a user and make username (and/or http headers) available to the kernel? After all, session/sessionId is one of the basic building blocks for any web app :smile:

rs2 commented 7 years ago

@parente wow, injecting external arguments e.g. via GET arguments is totally possible using Jupyter comm messages. Got a working POC. Will blog about it.

parente commented 7 years ago

Comm is pretty wide open. The only security here in dashboard server is based on what you have listening and interpreting those messages on the kernel side.

rs2 commented 7 years ago

@parente It appears that there is no way for custom.js to be executed in a similar fashion it is executed by a notebook: http://jupyter-notebook.readthedocs.io/en/latest/examples/Notebook/JavaScript%20Notebook%20Extensions.html#custom.js

Is that correct?

parente commented 7 years ago

Correct. There's no concept of custom.js in the dashboard server.