I was wondering if there were any plans for supporting pluggable authentication in the notebook.
I looked at the code and it doesn't seem too hard to support alternate forms of authentication (eg. LDAP) by making callouts from ipython.lib.security.passwd_check. If there is any interest I can probably get this working. Also - any coding/style guidelines that I should follow would be appreciated
We have a number of users (at LBL/NERSC) that want to run ipython notebooks and rather than having them set up their own password hashes we'd like to use an existing password database to validate these credentials. This allows us to move away from the mode of users managing their own passwords and allows us to offer the notebook as a service.
Let me make sure I understand you correctly: you want each user to be able to run their own notebook server, but to use their UNIX username and password to authenticate to the notebook. Is this a fair statement? That would very much fit into the model are are moving towards and we would be interested in supporting this type of authentication. Here are some thoughts on this:
We should create an authentication object that inherits from IPython's Configurable class. It should define a pretty generic auth interface that we can implement different subclasse for. For your case, simple PAM based auth would probably work fine. The username should be choosen to match the user that starts the notebook. It won't be much code.
Then in the main notebook app, we would need to define a configurable attribute that allows selection of which auth class to use.
You could then provide you users with a simple ipython_notebook_config.py file that sets the right options.
How does this sound?
Hi Brian - that is pretty close to what I was thinking. The one minor difference was that I was thinking the user could actually pass in their username through the login interface, to allow for a more flexible login mechanism. (This could itself be configurable too).
But the actual authentication should be completely configurable, and should be able to talk to a wide set of backends that would return a True or False assertion.
Hi Brian - FYI - I have a prototype that uses LDAP authentication (running as a non-root user). You don't actually need to be root to do LDAP auth. :)
Mostly I was trying to get to the point where authentication was plugabble - i.e. instead of calling the standard passwd_check, you could call something else that returns True or False. I'll ping you directly via email to discuss this some more.
You can spawn one server per user with a proxy and use url redirection on the proxy if you wish.
I have a early prototype of somehing that can potentially do that if it interset you.
@shreddd - any chance you could provide the code to do LDAP auth? I'm looking at doing a similar thing for ActiveDirectory/Kerberos and expect the two to be almost identical.
Thanks @shreddd - I'll take a look at that and figure out what is best to do. Out of interest, are you doing this for a public service, or is it for an internal/organisational deployment?
I think this can now be closed thanks to the addition of #6977.
@pelson thanks for catching it.