Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No Authentication #3

Open
jdhayes opened this issue Oct 16, 2019 · 14 comments
Open

No Authentication #3

jdhayes opened this issue Oct 16, 2019 · 14 comments

Comments

@jdhayes
Copy link

jdhayes commented Oct 16, 2019

This is awesome and exactly what I need!
However, when running RStudio Server as a non root user, it seems to bypass the login page.
This is a big security risk for multi users systems.
Is there a way to have authentication functional by still running RStudio Server as a non root user?
@grst
Copy link
Owner

grst commented Oct 16, 2019 via email

@jdhayes
Copy link
Author

jdhayes commented Oct 16, 2019
edited
Loading

Oh, yes I had used a incognito tab and was still able to gain access, bypasses the login page.
Even when I logout, it brings me to the login page, however if I just remove the "auth-sign-in" part of the URL, it allows access without authentication.
I believe this may have something to do with the default for "--auth-none" flag is 1.
So, this means it will not authenticate by default. I turned this flag off, but now I am not able to login with the Linux user name and password.
Perhaps this is not related to how I am running RStudio server, but rather how I installed it?
I installed RStudio server as a non-root user.

@grst
Copy link
Owner

grst commented Oct 17, 2019

Thanks for investigating!
I can reproduce that on my current system.
I am a bit confused because I could have sworn that I had to authenticate using this method on a different system.

Let me know if you find something out!

@jarach
Copy link

jarach commented Jan 8, 2020

I'm also interested in solution for secure multi-user environment.
In may case, when I set --auth-none flag to 0 the login page doesn't appear - I'm getting connection error rather than login page.

Thanks

@grst grst mentioned this issue Jan 13, 2020
Closed
@jdhayes
Copy link
Author

jdhayes commented Mar 10, 2020

I had opened an issue with RStudio people, but was ignored.
So I ended up using this:
https://github.com/nickjer/singularity-rstudio
Which runs RStudio server within a container and allows you to set your own password within an environment variable.
Of course singularity needs to be installed, but seems to work perfect for our needs.

@jdhayes
Copy link
Author

jdhayes commented Mar 11, 2020
edited
Loading

Ah, ha!
This is more simple than I thought. You can add a simple password auth to any rstudio-server install, as long as you put rstudio_auth in your PATH and then set your RSTUDIO_PASSWORD variable when starting the server.

Something like this should work:

# Download simple authentication
wget -O /wherever/you/installed/rstudio-server/bin/rstudio_auth https://raw.githubusercontent.com/nickjer/singularity-rstudio/27acb82cbc14796f341c4d3e7bde69fa55d98e91/rstudio_auth.sh

# Ensure execute permissions
chmod a+rx /wherever/you/installed/rstudio-server/bin/rstudio_auth

# Run rstudio server with password on the same line
RSTUDIO_PASSWORD="password" rserver \
  --auth-none 0 \
  --auth-pam-helper rstudio_auth

@grst
Copy link
Owner

grst commented Mar 12, 2020 via email

@gponce-ars
Copy link

Hi,

I followed the suggestions by @jdhayes but not sure why I still geting the error msg:
Unable to connect to service

image

And in the terminal I can see the log of rserver and I see the msg below every time I try to access localhost:8787:

26 May 2020 07:12:00 [rserver] ERROR system error 111 
(Connection refused) [request-uri: /rpc/client_init]; OCCURRED AT void 
rstudio::core::http::LocalStreamAsyncClient::handleConnect(const 
rstudio_boost::system::error_code&) src/cpp/server/ServerSessionProxy.cpp:119; 
LOGGED FROM: void rstudio::server::session_proxy::
{anonymous}::logIfNotConnectionTerminated(const rstudio::core::Error&, const 
rstudio::core::http::Request&) src/cpp/server/ServerSessionProxy.cpp:382

Below is what I have in the start_rstudio_server.sh
Any hint?

#!/bin/bash

##############################################
# USAGE: ./start_rstudio_server <PORT>
#   e.g. ./start_rstudio_server 8787
##############################################

CWD="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
USER=`whoami`
# set a user-specific secure cookie key
COOKIE_KEY_PATH=/tmp/rstudio-server/${USER}_secure-cookie-key
rm -f $COOKIE_KEY_PATH
mkdir -p $(dirname $COOKIE_KEY_PATH)

python -c 'import uuid; print(uuid.uuid4())' > $COOKIE_KEY_PATH
# uuid > $COOKIE_KEY_PATH
chmod 600 $COOKIE_KEY_PATH

# store the currently activated conda environment in a file to be ready by rsession.sh
CONDA_ENV_PATH=/tmp/rstudio-server/${USER}_current_env
rm -f $CONDA_ENV_PATH
echo "## Current env is >>"
echo $CONDA_PREFIX
echo $CONDA_PREFIX > $CONDA_ENV_PATH

export RETICULATE_PYTHON=$CONDA_PREFIX/bin/python

RSTUDIO_PASSWORD="password" /usr/lib/rstudio-server/bin/rserver --server-daemonize=0 \
  --www-port=$1 \
  --secure-cookie-key-file=$COOKIE_KEY_PATH \
  --rsession-which-r=$(which R) \
  --rsession-ld-library-path=$CONDA_PREFIX/lib \
  --rsession-path="$CWD/rsession.sh"
  --auth-none 0 \
  --auth-pam-helper rstudio_auth

@syu-id
Copy link

syu-id commented Sep 24, 2020

Hi, I successfully used @jdhayes's solution to run the server with a non-root user and a custom password.

My configuration:

start_rstudio_server.sh

/usr/lib/rstudio-server/bin/rserver --server-daemonize=0 \
  --auth-none 0 \
  --auth-pam-helper-path /path/to/rstudio_auth.sh \
  # other options ...

rstudio_auth.sh

wget https://raw.githubusercontent.com/nickjer/singularity-rstudio/master/rstudio_auth.sh
chmod 755 rstudio_auth.sh

After the comment "Confirm username is supplied", change if [[ $# -ne 1 ]] to if [[ $# -lt 1 ]]
I found RStudio Server actually passes three arguments to the auth script: <USER> rstudio 1

# Confirm username is supplied
if [[ $# -lt 1 ]]; then
  echo "Usage: auth USERNAME"
  exit 1
fi

I store my password in ~/.rstudio_mypsw and run the server like this (in a conda environment):

RSTUDIO_PASSWORD="$(cat ~/.rstudio_mypsw)" ./start_rstudio_server.sh 8787

@grst
Copy link
Owner

grst commented Jun 7, 2021

I now added instructions how to use a containerized rstudio (rocker/rstudio) with conda envs. With that approach authentication works.

@mecalderon

This comment was marked as off-topic.

Sign in to view
@grst

This comment was marked as off-topic.

Sign in to view
@moxgreen
Copy link

Do the solution proposed by @syu-id work on a simple conda environment, without containers?
Why it is not ported on https://github.com/grst/rstudio-server-conda/tree/master/local/start_rstudio_server.sh ?

@YinAoXiong
Copy link

Hi, I successfully used @jdhayes's solution to run the server with a non-root user and a custom password.

My configuration:

start_rstudio_server.sh

/usr/lib/rstudio-server/bin/rserver --server-daemonize=0 \
  --auth-none 0 \
  --auth-pam-helper-path /path/to/rstudio_auth.sh \
  # other options ...

rstudio_auth.sh

wget https://raw.githubusercontent.com/nickjer/singularity-rstudio/master/rstudio_auth.sh
chmod 755 rstudio_auth.sh

After the comment "Confirm username is supplied", change if [[ $# -ne 1 ]] to if [[ $# -lt 1 ]] I found RStudio Server actually passes three arguments to the auth script: <USER> rstudio 1

# Confirm username is supplied
if [[ $# -lt 1 ]]; then
  echo "Usage: auth USERNAME"
  exit 1
fi

I store my password in ~/.rstudio_mypsw and run the server like this (in a conda environment):

RSTUDIO_PASSWORD="$(cat ~/.rstudio_mypsw)" ./start_rstudio_server.sh 8787

Now it seems that we only need to add

--auth-none 0 \

You can log in using your original account and password.

Add

--auth-pam-helper-path /path/to/rstudio_auth.sh \

will prevent me from logging in

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@syu-id @jdhayes @moxgreen @grst @gponce-ars @YinAoXiong @jarach @mecalderon