search

neurolibre / neurolibre-binderhub

developer resources for neurolibre.conp.ca
2 stars 4 forks source link

security #9

Open ltetrel opened 5 years ago

ltetrel commented 5 years ago

Maintain a list of bad users to ban, improve the security of the server..

agahkarakuzu commented 5 years ago

How do you define a bad user?

ltetrel commented 5 years ago

If you check this file, they maintain a list of banned users that we should reuse. Such examples are for example a guy trying to create a VoIP service using the binderhub : https://github.com/gesiscss/orc/blob/768f302f83e5668a6c1c38e079bf3289e1a5f26f/gesisbinder/gesisbinder/values.yaml#L38-L43

pbellec commented 4 years ago

For mybinder, it makes sense to exclude domains that are abusing the service. But in our case, we should basically block anything, except for the gitub.com/neurolibre organization (and possibly others in the future). I am not sure whether such restrict rule is already supported.

ltetrel commented 4 years ago

https://binderhub.readthedocs.io/en/latest/reference/repoproviders.html#binderhub.repoproviders.RepoProvider

We could have a regex that would match (ban) everything except the ones that contains neurolibre as orga. Something like a negative match.

ltetrel commented 4 years ago

We now reject all repos that are not from neurolibre organization

pbellec commented 4 years ago

The test servers should still be open, and the previous approach inspired from mybinder is still useful in that context.

ltetrel commented 4 years ago

Agree! For now we still don't have a test binder (for the users) but I can spawn one.

ltetrel commented 4 years ago

worth checking : https://github.com/appsecco/attacking-and-auditing-docker-containers-and-kubernetes-clusters