[IPython-dev] IPEP 3: Multiuser support in the notebook

MinRK benjaminrk at gmail.com
Sun Sep 9 14:53:05 EDT 2012

On Sun, Sep 9, 2012 at 9:39 AM, Matthias BUSSONNIER <
bussonniermatthias at gmail.com> wrote:

> Le 9 sept. 2012 à 18:10, Brian Granger a écrit :
> > Matthias,
> >
> >
> > On Sat, Sep 8, 2012 at 2:02 AM, Matthias BUSSONNIER
> > <bussonniermatthias at gmail.com> wrote:
> >>
> >>
> >> Comment on current IPEP version :
> >>
> >>>      • Users will have the ability to "live share" notebooks and their
> kernels. When a user clicks "live share" they will get a private and secure
> URL they can share with other users. These other users can then edit the
> notebook and run code on the kernel in a Google Docs like manner.
> >>
> >> This is one feature, but I would expect the ability to invite/remove
> user independently.
> >> Either by being able to tick checkboxes, or else. But nothing annoy me
> more than having to look into my email to find the link.
> >>
> >> Ability to have "soft" more grained privileges. Invite a user than can
> only edit and not run.
> >
> > One thing we need to think through is the different "modes" a user can
> > view a page in.  Minimally we have three boolean flags that determine
> > the mode: read, write, execute.  Are there others?
> I see 5 different level of authorization
>         • Ability to see a static version of the current saved, or
> specific version of the notebook (cf nbviewer).
>         • Ability to see a live edited version of the notebook, without
> being able to interact.
>         • Ability to edit part of the notebook and push the changes
>         • Ability to save the current changes on disk
>         • Ability to execute code on the kernel.

I don't think there's any reason to allow editing without saving.  That's
just confusing, so there's at most 4 here, and I'm not convinced that there
are even that many.  I only see:

1. read-only
2. write
3. execute

Now, we can decide whether read-only access gets live-updates or not, but I
cannot imagine a sensible scenario where an owner gives some users the
ability to watch changes, and others the ability to see the same thing only
if they keep hitting refresh.

> > One big thing we will have to work out is how to tune the
> > content/display of each page in a way that reflects these flags, but
> > that is secure.  Our current approach of setting a variable in JS to
> > control things is horribly insecure.  Ideas on this?

> We have to have more fine grained decorators in the handler side.
> Js side is just to make things pretty.

The JS code currently has nothing at all to do with security, it is only
there to help the UI be consistent with the permissions enforced on the
server.  If a read-only viewer executed JS to save or execute, they would
fail because they do not have permission.

> >
> >> Obviously we are really vulnerable to JS injection. We should
> definitely try to do something about that, even if we sell the notebook as
> beeing not totally secured. One thing we can use is html5 sandboxed feature
> of iframe. This could also solve the "problem" of css in ".rendered_html".
> >
> > I agree we need to think more about security, but that is really off
> > topic for this IPEP (i.e., the same technical problems exist for the
> > single user notebook).
> If you don't allow collaboration, then yes this is off topic.
> As soon as you add collaboration with username and password, you have a
> risk of user stealing each other account.
> We should think of it while building multi user account.

Collaboration is hugely complex, and I think it warrants an entirely
separate discussion.

> >
> >> Implementation wide for live collaborating, we should redirect the
> message using cell ID, otherwise this is a huge problem to redirect IOPub
> to all clients.
> >
> > I am not quite following you here.  Don't all clients need to get all
> > iopub messages?
> Yes they do.
> But they don't now how to handle it.
> if I run Safari and Chrome on "notebook_a"
> When I execute "1+1" on Safari, for cell 54, when iopub arrives on Chrome,
> it has no idea of what to do with it.
> I think we should proxy :
> Browser(s) ===>===> [execute+cell_id(+uuid ?)] ===>==> server strip
> cell_id (, add uuid) ? ==>==> kernel
> Browser(s) <===<==<===<===<===<==<===<===<=== server match uuid, append
> cell_id <==<=== kernel

I don't think we want to do this.

> >
> >>>      • Version control of notebooks will be done using the command
> line interface to git and other VCSs. These VCS command will be issued
> through the shell widget.
> >>
> >>
> >> I think some high level command would be great, like changing 'save'
> button, to 'commit' with a custom message that can be generated by user.
> >
> > We have talked about this before and we want to avoid creating a git
> > UI in the notebook.  The other issue is that repo level actions are
> > not per notebook, but per directory, so if we did add a commit button,
> > it would need to be on the directory dashboard, not the notebook page.
> >
> >> One of the things I came across while prototyping live collaboration is
> the real need to have the current state of the notebook on the kernel side.
> >> I think we should define a format of notebook 'patches' that represent
> common operation on a ipynb file, at least:
> >>        - appending/moving/deletting worksheet/cells
> >> preferably with reference to the worksheet/cell by UUID.
> >
> > I am not sure what you mean by having the notebook state on the
> > kernel.  We have to be very careful to keep the notebook and kernel
> > state completely separate.  Can you elaborate on why this was needed?
> > But actually, can you open a separate IPEP for live collaboration - it
> > is really a big topic in itself.
> I'm loading notebook state_a, starting kernel.... I type, change on cell,
> continue... don't save.... I am on state_b
> I invite you, you open your browser, server give you state_a.
> >> I also think that for live collaboration we need both a 'cell is being
> edited' lock, and also maybe a 'cell is being executed' lock.
> >
> > Yep, I think at the cell level that having locks like this makes sense
> > for us.  The problem is doing so in an asynchronous setting (what if
> > both of us lock the same cell before the server is notified?)
> No problem, just don't set code_mirror.allow_edit until true once the
> response : "you were able to put the lock" arrives.
> I did it in my prototype with
> request_lock(){
> succes... callback:lock_granted()
> error... callback:lock_refused()
> }
> --
> Matthias
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ipython-dev/attachments/20120909/e608d4fe/attachment.html>

More information about the IPython-dev mailing list