Matlab-proxy Python module integration with OOD

I’ve been configuring the matlab-proxy Python module to work with Open OnDemand 2.0. I used the template from Rstudio and was able to get it to work so that I now have Matlab running in a browser like Rstudio (instead of using the noVNC method). The question I have is if there is a way to secure matlab-proxy? There doesn’t seem to be a password that gets set and passed along like in Rstudio or Jupyter. If I login on another computer as a different OOD user, I can simply type the URL from the first user session and get access to their Matlab session and their files via Matlab’s built-in file browser. Has anyone else configured matlab-proxy in OOD and more importantly found a way to secure it?

Hi Shawn.

Congrats on getting it all to work as you needed. As well, thanks for your question. It’s a great question. My answer is not sure off the top of my head. I will leave this be for someone else while I get with my colleagues and/or try figuring this out.

Thanks,
-gerald

Hi Shawn. My colleague has an answer for you.

@jeff.ohrstrom if you do not mind, could please send out your response.

Thanks,
-gerald

I have this working example of doing this with tensorboard which also doesn’t have any authentication. It boots a proxy for authentication and tensorboard in a private network namespace (from unshare), and slirpt4netns` to bind a external port into it.

Of course, this requires you’re site’s able to create network namespaces which is enabled by subuids.

https://man7.org/linux/man-pages/man5/subuid.5.html

We also have this github issue here where I say the same and Trey indicates how we sync subuids from LDAP (our /etc/ is NFS mounted so we can sync on one machine and it’s pushed out everywhere)

hope that helps!

1 Like

Hmmm… sounds relatively complex to get working. It would be nice if they just add a password feature to the matlab-proxy module.

What are the security implications beyond the password being displayed in the URL if you do something like this to generate the proxy base URL in before.sh.erb. Can it easily be retrieved by someone by means other than actually looking at the URL on the user’s screen?

# Export the module function if it exists
[[ $(type -t module) == "function" ]] && export -f module

# Find available port to run server on
port=$(find_port)

# Generate password
password="$(create_passwd 32)"
export MWI_BASE_URL="/matlab-$password"

thanks for letting me know that there is something like matlab-proxy. I see this is must-have feature for my system and my users.

What are the security implications beyond the password being displayed in the URL

let’s call it secret token. If we’d go with plain HTTP, anyone around can decode that, access that instance and effectively act as the user who ran matlab-proxy instance. So IMO pretty unhappy situation.

Anyway upstream documentation says we can specify

MWI_SSL_CERT_FILE

doesn’t that mean that we could secure the network communication with SSL?
Also let’s make sure that this variable can not be somehow exposed via job manager.

again, thanks for bringing this here!

EDIT: apparently, this topic is covered by this issue: Username and Password authentication · Issue #2 · mathworks/matlab-proxy · GitHub .

Hi Shawn,

I work at MathWorks as a product manager and I’d love to follow up with you offline regarding your question.

As you noted, the matlab-proxy package does not currently provide any built-in authentication capabilities for the MATLAB session – the package was originally designed with the assumption that authentication and any other access restrictions would be handled by another layer of the provisioning system. When adapting the capability for use within systems like Open OnDemand, this assumption may not necessarily be the case.

There are some possible avenues to try to address this on the OOD end as Jeff mentioned in his response regarding network namespaces. That said, we are also looking into some enhancements for the matlab-proxy package to potentially address this in a future release of the package.

We’ve seen some interest in token-based and password-based authentication and I’d love to hear your perspective on how you would like to recover tokens/passwords for MATLAB sessions that were previously launched. Would it be safe to assume that your users will have access to the machine where the matlab-proxy-app is running?

Please feel free to share your thoughts with me directly via email (nickchoi@mathworks.com).

Thanks,
Nick Choi
MathWorks