Skip to content
This repository was archived by the owner on Oct 26, 2019. It is now read-only.

Option to expose auth bundle to kernel gateway #168

Closed
parente opened this issue Apr 5, 2016 · 1 comment
Closed

Option to expose auth bundle to kernel gateway #168

parente opened this issue Apr 5, 2016 · 1 comment
Assignees
@parente
Labels
enhancement
Milestone
0.5.0

Comments

@parente
Copy link
Member

parente commented Apr 5, 2016

The auth passportjs strategies currently store arbitrary metadata in the express session. In some use cases, the kernel may need information from this bundle in order to act on behalf of the authenticated user. For example, if Dropbox is the configured OAuth dashboard provider, and a dashboard / notebook wants to read/write data from the authenticated dashboard user's Dropbox account, the scoped Dropbox access token granted privileges by the user at login needs to be shared with the kernel.

The kernel gateway has the ability to receive environment variables prefixed with KERNEL_ on a POST /api/kernels request and set these in the environment of a newly launched kernel. An option here in the dashboard server can take advantage of this to:

  1. Grab the user object from the passport strategy done(null, user) call.
  2. Pass it along as a JSON value for a KERNEL_USER_AUTH env var in the POST request.
  3. Write notebooks that read the env var, parse the JSON, and do what they want.

The option on the dashboard server in config.json can be:

// Forward auth strategy user profile to every kernel launched for every dashboard visited on the server
// e.g., so the kernel can re-use an auth token to access an external service
KG_FORWARD_USER_AUTH: false
@parente parente added this to the 0.5.0 milestone Apr 5, 2016
@parente
Copy link
Member Author

parente commented Apr 5, 2016

Related to some of the comments in jupyter/dashboards#13. We've got some of the security licked already. This issue is about sharing of creds between frontend login and backend kernel.

/cc @lmeyerov

@parente parente self-assigned this Apr 6, 2016
parente added a commit to parente/dashboards_server that referenced this issue Apr 7, 2016
@parente
Option to pass user auth to kernel
0f7fcbd 
Fixes jupyter#168

(c) Copyright IBM Corp. 2016
parente added a commit to parente/dashboards_server that referenced this issue Apr 7, 2016
@parente
Option to pass user auth to kernel
3a56b12 
Fixes jupyter#168

(c) Copyright IBM Corp. 2016
@parente parente mentioned this issue Apr 7, 2016
Merged
parente added a commit to parente/dashboards_server that referenced this issue Apr 12, 2016
@parente
Fix problems from jupyter#168
f1bc265 
* Don't pass all request headers to /api/kernels to avoid
  ping-ponging requests when Host/Origin are unexpected
* Fix random test failures by stubbing request.Request so that
  async callbacks we don't care about never happen
* Fix integration test breakage: integration-test requires
  etc/notebooks for the docker build so we can't ignore it

(c) Copyright IBM Corp. 2016
jtyberg added a commit that referenced this issue Apr 12, 2016
@jtyberg
Merge pull request #175 from parente/fix-header-ping-pong
9604fa0 
Fix problems from #168
jameslmartin pushed a commit to jameslmartin/dashboards_server that referenced this issue Apr 20, 2016
@parente
Option to pass user auth to kernel
da252c0 
Fixes jupyter#168

(c) Copyright IBM Corp. 2016
jameslmartin pushed a commit to jameslmartin/dashboards_server that referenced this issue Apr 20, 2016
@parente
Fix problems from jupyter#168
4eb2c2b 
* Don't pass all request headers to /api/kernels to avoid
  ping-ponging requests when Host/Origin are unexpected
* Fix random test failures by stubbing request.Request so that
  async callbacks we don't care about never happen
* Fix integration test breakage: integration-test requires
  etc/notebooks for the docker build so we can't ignore it

(c) Copyright IBM Corp. 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@parente parente

Labels
enhancement
Projects
None yet
Milestone
0.5.0
Development

No branches or pull requests
1 participant
@parente