Matlab-proxy Python module integration with OOD

I’ve been configuring the matlab-proxy Python module to work with Open OnDemand 2.0. I used the template from Rstudio and was able to get it to work so that I now have Matlab running in a browser like Rstudio (instead of using the noVNC method). The question I have is if there is a way to secure matlab-proxy? There doesn’t seem to be a password that gets set and passed along like in Rstudio or Jupyter. If I login on another computer as a different OOD user, I can simply type the URL from the first user session and get access to their Matlab session and their files via Matlab’s built-in file browser. Has anyone else configured matlab-proxy in OOD and more importantly found a way to secure it?

Hi Shawn.

Congrats on getting it all to work as you needed. As well, thanks for your question. It’s a great question. My answer is not sure off the top of my head. I will leave this be for someone else while I get with my colleagues and/or try figuring this out.

Thanks,
-gerald

Hi Shawn. My colleague has an answer for you.

@jeff.ohrstrom if you do not mind, could please send out your response.

Thanks,
-gerald

I have this working example of doing this with tensorboard which also doesn’t have any authentication. It boots a proxy for authentication and tensorboard in a private network namespace (from unshare), and slirpt4netns` to bind a external port into it.

Of course, this requires you’re site’s able to create network namespaces which is enabled by subuids.

https://man7.org/linux/man-pages/man5/subuid.5.html

We also have this github issue here where I say the same and Trey indicates how we sync subuids from LDAP (our /etc/ is NFS mounted so we can sync on one machine and it’s pushed out everywhere)

hope that helps!

1 Like

Hmmm… sounds relatively complex to get working. It would be nice if they just add a password feature to the matlab-proxy module.

What are the security implications beyond the password being displayed in the URL if you do something like this to generate the proxy base URL in before.sh.erb. Can it easily be retrieved by someone by means other than actually looking at the URL on the user’s screen?

# Export the module function if it exists
[[ $(type -t module) == "function" ]] && export -f module

# Find available port to run server on
port=$(find_port)

# Generate password
password="$(create_passwd 32)"
export MWI_BASE_URL="/matlab-$password"

thanks for letting me know that there is something like matlab-proxy. I see this is must-have feature for my system and my users.

What are the security implications beyond the password being displayed in the URL

let’s call it secret token. If we’d go with plain HTTP, anyone around can decode that, access that instance and effectively act as the user who ran matlab-proxy instance. So IMO pretty unhappy situation.

Anyway upstream documentation says we can specify

MWI_SSL_CERT_FILE

doesn’t that mean that we could secure the network communication with SSL?
Also let’s make sure that this variable can not be somehow exposed via job manager.

again, thanks for bringing this here!

EDIT: apparently, this topic is covered by this issue: Username and Password authentication · Issue #2 · mathworks/matlab-proxy · GitHub .

Hi Shawn,

I work at MathWorks as a product manager and I’d love to follow up with you offline regarding your question.

As you noted, the matlab-proxy package does not currently provide any built-in authentication capabilities for the MATLAB session – the package was originally designed with the assumption that authentication and any other access restrictions would be handled by another layer of the provisioning system. When adapting the capability for use within systems like Open OnDemand, this assumption may not necessarily be the case.

There are some possible avenues to try to address this on the OOD end as Jeff mentioned in his response regarding network namespaces. That said, we are also looking into some enhancements for the matlab-proxy package to potentially address this in a future release of the package.

We’ve seen some interest in token-based and password-based authentication and I’d love to hear your perspective on how you would like to recover tokens/passwords for MATLAB sessions that were previously launched. Would it be safe to assume that your users will have access to the machine where the matlab-proxy-app is running?

Please feel free to share your thoughts with me directly via email (nickchoi@mathworks.com).

Thanks,
Nick Choi
MathWorks

Shawn,

Is your app for matlab-proxy public? If not any chance you could post the importance bits such as what env/settings you are setting for matlab-proxy to get it to work with ondemand?

I noticed by default I could only connect over localhost and wasn’t able to get remote connection to the matlab-proxy web server working.

Hi Nicholas,

I’m not using matlab-proxy in production at this time, but I think these are the changes I made to add a random token to the matlab-proxy URL. I believe there is an easier/better way to do this, but I haven’t had the time to dig into it.

The view.html.erb looks like this

<a href="/rnode/<%= host %>/<%= port %>/matlab-<%= password %>/index.html" target="_blank" class="btn btn-primary">
    <i class="fas fa-eye"></i> Connect to Matlab
</a>

The template/before.sh.erb looks like this

# Export the module function if it exists
[[ $(type -t module) == "function" ]] && export -f module

# Find available port to run server on
port=$(find_port)

# Generate password
password="$(create_passwd 32)"
export MWI_BASE_URL="/matlab-$password"

The end of my template/script.sh.erb looks like this

# There is the normal script.sh.erb stuff above this to load modules, etc. 

# Launch the Matlab via Proxy Server
set -x
export XDG_RUNTIME_DIR=""
export MWI_APP_PORT="$port"
#export MWI_BASE_URL="/matlab"
export MLM_LICENSE_FILE="/opt/tcnjhpc/matlab_R2021b/licenses/network.lic"
matlab-proxy-app >/dev/null 2>&1

Thanks for the data!

Looks like the issue I ran into was due to the proxy only listening to ‘127.0.0.1’ by default. There is an undocumented option to fix this.

export MWI_APP_HOST="0.0.0.0"

They also added token based authentication. Once I get an app put together I’ll make it publicly available. Overall the interface looks way better than it does over the typical VNC setup.

In case anyone wants to reference this in the future here is a full working copy of a MATLAB app using the new MATLAB Proxy server. It includes password protection which was recently added in the proxy app.

It does not currently use containers but instead loads MATLAB and conda through Lmod.

I’m happy it turned out to be relatively simple compared to some of the other interactive apps i’ve put together.

Hi Shawn,

To provide a quick update on this - we recently added support for token-based authentication to the matlab-proxy package, enabling you to provide more secure access to MATLAB from browser-based environments such as Open OnDemand.

You can enable this feature by setting an environment variable before launching the app. The tokens can be either autogenerated or manually specified (using an additional environment variable). I encourage you to read this GitHub README to learn more about how you can leverage token-based authentication in tandem with SSL to enhance the security of your browser-based MATLAB implementations in OOD:

Multiple sites have already integrated MATLAB through JupyterHub or through other systems like Open OnDemand. It is really great to see examples of sites sharing examples of their MATLAB OOD apps on Discourse/GitHub – thanks for sharing @nvonwolf!

I look forward to seeing more examples of MATLAB OOD apps (using matlab-proxy or traditional noVNC) once you get a chance to try some of the latest enhancements!

If you have any feedback on the token-based authentication feature, please feel free to share your thoughts with me directly via email (nickchoi@mathworks.com).

Thanks,
Nick Choi
Product Manager, Cloud Platform Integrations
MathWorks

Thanks for sharing this feedback - a description for the MWI_APP_HOST environment variable has been added to the documentation/README!

Also, it should now default to “0.0.0.0” as of v0.4.0 of the matlab-proxy package.

@nickchoi-mw

Thank you and your team for your hard work! Also for making this tooling available outside of just MATLAB Cloud.

So far things have been working really well the only thing missing, that has been reported by users, is an equivalent to matlab -r 'myscript;exit'. In our regular XFCE version of MATLAB we provide the ability to automatically start code when matlab is launched. Some users use this to have their code automatically start in Slurm partitions were there is typically a long wait/queue time. Others use this in conjunction with a backfill partition so that if their jobs are stopped and requeued they can continue without intervention. In most cases for this we recommend users use submission scripts and headless MATLAB but in some use cases they like to check in on their jobs mid run to view active visualization windows. To me this is weird but MATLAB had the option so we implemented it.

Also, now that I’m thinking of it, another nice to have would be an option to stop the MATLAB proxy server and have it shutdown. Instead of just relaunching MATLAB. This could be a button on the proxy overlay menu. The purpose is so that when users are done with MATLAB early they can stop the proxy to free up resources. This is a shortcoming with OnDemand itself as currently you can’t stop interactive apps early without the card/logs being delete and the job showing as cancelled in the Slurm database.

@nvonwolf

Thank you for providing feedback - this is very helpful!

I created enhancement requests for both topics so the development team can look into this further.

Thanks,
Nick