-
Notifications
You must be signed in to change notification settings - Fork 14
IPython Notebook was lunched without authentication
Under local testing circumstances or for a personal-use Galaxy, this might be fine. In production, if you see this error, something has gone very wrong and you should take steps to mitigate the issue immediately.
When IPython notebook is launched without authentication (password_auth = True), anyone can scan the port/URL range to see if IPython notebooks are running. They're distinctive due to running a Tornado server. Once a notebook is found, anyone can access it if password authentication is not configured, and can steal a user's API key from the configuration file accessible within the notebook docker image. We need to have this API key in order to allow use of BioBlend and access datasets within the user's history.
- Turn on
password_authin production. Users should automatically be logged in whenever notebooks start, and there should be no end-user impact.
An alternative solution is to disable remote API access, thereby mitigating the API access attack. Any attacker would still have full access to the notebook image (even unauthenticated users), so this is likely to be a highly undesirable solution.