[IPython-dev] Running notebook server and kernels as different users

Jason Grout jason-sage at creativetrax.com
Fri Aug 16 15:36:36 EDT 2013

On 8/16/13 2:03 PM, Leo Singer wrote:
> Hello,
> I am helping to set up a notebook server as part of the open data
> initiative for LIGO (http://ligo.org/), a physics experiment on which
> I am working as a graduate student. The idea is to have a runnable,
> on-demand tutorial to show users how to retrieve and manipulate our
> experiment's data.
> I have a question about security. We'd like to activate SSL, but
> since the notebook server and the Python kernels run as the same
> users, I am concerned that users would have the ability to read the
> server's private key and then compromise it. Almost as bad, users
> could send a kill signal to the notebook server.
> Is there a way to have the notebook server start as one user and then
> run the kernels as another user, to protect the notebook server
> itself from such attacks?

We do this with the Sage Cell Server [1], which uses the IPython
infrastructure (but not most of the IPython notebook code).  We wrote
TrustedKernelManager and UntrustedKernelManager classes that basically
forward all kernel manager requests between the trusted (web server)
account and the untrusted (restricted worker) account over an ssh or 
zeromq link.

Feel free to look at the source code, if you like: 

But you can do the SSL part without compromising security.  Just run 
HAProxy or nginx as a reverse proxy in front of the notebook, and have 
your SSL terminate at HAProxy or nginx.  Another very common thing is to 
set up stunnel in front of your internal unencrypted server.  In each of 
these situations, the SSL will be decrypted by a reverse proxy running 
on your computer, and then connections will be forwarded (unencrypted, 
but only locally) on the local computer to the IPython notebook.



[1] https://sagecell.sagemath.org

More information about the IPython-dev mailing list