Skip to content

pluggable authentication #2770

Closed
shreddd opened this Issue Jan 10, 2013 · 12 comments

5 participants

@shreddd
shreddd commented Jan 10, 2013

I was wondering if there were any plans for supporting pluggable authentication in the notebook.

I looked at the code and it doesn't seem too hard to support alternate forms of authentication (eg. LDAP) by making callouts from ipython.lib.security.passwd_check. If there is any interest I can probably get this working. Also - any coding/style guidelines that I should follow would be appreciated

Thanks
-Shreyas

@ellisonbg
IPython member
@shreddd
shreddd commented Jan 11, 2013

We have a number of users (at LBL/NERSC) that want to run ipython notebooks and rather than having them set up their own password hashes we'd like to use an existing password database to validate these credentials. This allows us to move away from the mode of users managing their own passwords and allows us to offer the notebook as a service.

@ellisonbg
IPython member

Let me make sure I understand you correctly: you want each user to be able to run their own notebook server, but to use their UNIX username and password to authenticate to the notebook. Is this a fair statement? That would very much fit into the model are are moving towards and we would be interested in supporting this type of authentication. Here are some thoughts on this:

We should create an authentication object that inherits from IPython's Configurable class. It should define a pretty generic auth interface that we can implement different subclasse for. For your case, simple PAM based auth would probably work fine. The username should be choosen to match the user that starts the notebook. It won't be much code.

Then in the main notebook app, we would need to define a configurable attribute that allows selection of which auth class to use.

You could then provide you users with a simple ipython_notebook_config.py file that sets the right options.

How does this sound?

@shreddd
shreddd commented Jan 11, 2013

Hi Brian - that is pretty close to what I was thinking. The one minor difference was that I was thinking the user could actually pass in their username through the login interface, to allow for a more flexible login mechanism. (This could itself be configurable too).

But the actual authentication should be completely configurable, and should be able to talk to a wide set of backends that would return a True or False assertion.

@ellisonbg
IPython member
@shreddd
shreddd commented Jan 11, 2013

Hi Brian - FYI - I have a prototype that uses LDAP authentication (running as a non-root user). You don't actually need to be root to do LDAP auth. :)

Mostly I was trying to get to the point where authentication was plugabble - i.e. instead of calling the standard passwd_check, you could call something else that returns True or False. I'll ping you directly via email to discuss this some more.

@Carreau
IPython member
Carreau commented Jan 11, 2013

You can spawn one server per user with a proxy and use url redirection on the proxy if you wish.
I have a early prototype of somehing that can potentially do that if it interset you.

@pelson
pelson commented Nov 18, 2013

@shreddd - any chance you could provide the code to do LDAP auth? I'm looking at doing a similar thing for ActiveDirectory/Kerberos and expect the two to be almost identical.

Cheers!

@shreddd
@pelson
pelson commented Nov 19, 2013

Thanks @shreddd - I'll take a look at that and figure out what is best to do. Out of interest, are you doing this for a public service, or is it for an internal/organisational deployment?

@erasche erasche referenced this issue in bgruening/docker-ipython-notebook Jul 31, 2014
Closed

IP address whitelisting #4

@pelson
pelson commented Jan 30, 2015

I think this can now be closed thanks to the addition of #6977.

@minrk minrk modified the milestone: 3.0, wishlist Jan 30, 2015
@minrk
IPython member
minrk commented Jan 30, 2015

@pelson thanks for catching it.

@minrk minrk closed this Jan 30, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.