Making JupyterLab RTC an opt-in feature

[consideRatio]

Summary

JupyterLab Real Time Collaboration (RTC) is very soon generally available in JupyterLab 3.1 (3.1.0a10 is out now). The access control is non-existent and you simply grant access to remote control your server as if it was you yourself at this point.

User Stories

• As an end user, I want to click a button and share access to my server and get a Real Time Collaboration experience.
• As an end user, I want to understand the security implication of my choices.

Acceptance criteria

This enhancement will require significant exploration work, so making decisions on what is an acceptable outcome is a key first step where these acceptance criteria then later can be updated with.

• A end to end workflow for a user is enabled
  • Example: user clicks share button, provides a link to another user who is granted access
• Security is considered:
  • The token granting access provides access to the entire server now and later I think. What is acceptable from a security stand point and how to we get there?

Important information

With jupyterlab==3.1.0a10 installed, the following startup configuration change will enable link sharing access.

          singleuser:
            # cmd: I've experimented with these settings to get a JupyterLab RTC
            #      setup functioning. It currently is, but is this what makes
            #      sense to get it to function?
            #
            #      ref: https://github.com/jupyterlab-contrib/jupyterlab-link-share/issues/10#issuecomment-851899758
            #      ref: https://github.com/jupyterlab/jupyterlab/blob/1c8ff104a99e294265e6cf476dcb46279b0c3593/binder/jupyter_notebook_config.py#L39
            #
            #      Note the default in z2jh is jupyterhub-singleuser.
            cmd:
              - jupyterhub-singleuser
              - --LabApp.collaborative=True
              - --ServerApp.allow_remote_access=True

With jupyterlab-contrib/jupyterlab-link-share we get a button exposing a token in a link that can be shared. I've opened an issue about this not functioning properly yet with modern versions of JupyterHub etc to my knowledge though, see: jupyterlab-contrib/jupyterlab-link-share#10

Tasks to complete

• Discuss and decide on acceptance criterias
• Implementation steps...

[yuvipanda]

Amazing! To do this,

• The image has appropriate version of lab
• singleuser.cmd is set in the appropriate file in hub/config/<cluster>.yaml.

[damianavila]

Amazing, indeed... BUT,

Security is considered:
The token granting access provides access to the entire server now and later I think.

I am very worried about the security implications here... Because people excited to try the new stuff will not successfully realize the associated risk and the links will be easily (and publically) shared.

What is acceptable from a security stand point and how to we get there?

A minimally acceptable security standpoint, IMHO, would be having some sort of minimal authn/authz layer that will prevent users not belonging to the certain Hub to reach out to that server being shared. I acknowledge that, probably, the minimal layer I am asking for is not a trivial amount of work...

[yuvipanda]

* The token granting access provides access to the entire server now and later I think.

This depends on the token being issued. It could be just as long as the current session.

[damianavila]

This depends on the token being issued. It could be just as long as the current session.

OK, that seems to reduce/restrict the potential damage...

[consideRatio]

The title is relevant, but the content is outdated. I'll go for a close, expecting another issue to track this already or that its better to start fresh when JupyterHub 4 and JupyterLab 4 are out with some relevant updates.