IP address whitelisting #4
Comments
|
This should be ready as of d763689. More testing is needed before this is merged with master. |
|
Unfortunately this may not be possible: See the docker changelog for the following quote from 0.8.1 release:
This was found via moby/moby#4424 |
hexylena
changed the title
|
Might be possible to hook into Galaxy's auth: |
|
Closed in favour of #6 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To secure containers (as best we can without access to galaxy's authentication), we need to provide IP address whitelisting for use in the containers. This is already started, but not complete due to docker issues.
There is a severe security vulnerability produced as a result of this lack of authentication, which we will consider in the following scenario:
Alice is happily using IPython Notebook from within Galaxy. Bob has turned evil and is portscanning galaxy instances looking for open IPython Notebooks (should be relatively trivial to do, not everyone runs python tornado webservers). Bob finds an open notebook, connects to it, and creates a new notebook in which he runs
At this point Bob knows Alice's API key and it's game over for her. He has complete access to all the data she has access to.
The text was updated successfully, but these errors were encountered: