3

I have a simple bokeh server application and I want to expose it on a Linux-based Azure node. The server is there up and running.

My question is: how to protect the content by username and password? I do not need necessarily authentication of users.

My ideas so far (not tried, may not work)

  1. To create an extra bokeh server page with a text field.
  2. On the callback for a button, to add the test if the password fits. If it does, to redirect to the original server page. Otherwise, inform the user about wrong credentials.
Karel Macek
  • 1,119
  • 2
  • 11
  • 24
  • According to your security needs without authentication of users, I don't understand your security scenario without user authentication, which is very strange, please post more details. And I recommend to refer to the document [Authentication Scenarios for Azure AD](https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios) to know protection mechanism on Azure with AzureAD. – Peter Pan Apr 04 '17 at 08:56

1 Answers1

6

You can try to disable generation of session id's by bokeh server and generate them by external application only after user authentication:
(Based on this part of bokeh documentation)

  1. Generate secret key with bokeh secret command:
$ bokeh secret
oIWDL7DVYCaBJG9eYQ2Wvf2f2uhOAIM8xNS8Kds3eizV
  1. Set BOKEH_SECRET_KEY environment variable to generated value;
$ export BOKEH_SECRET_KEY=oIWDL7DVYCaBJG9eYQ2Wvf2f2uhOAIM8xNS8Kds3eizV
  1. Set another environment variable: 
$ export BOKEH_SIGN_SESSIONS=True
  1. Run bokeh server with --session-ids external-signed argument:
$ bokeh serve myApp --session-ids external-signed

In this mode user should provide valid (signed) session id to access bokeh server.

  1. Run simple external process to ask users for login and password and generate id's for them. Here is the example based on snippet from Flask documentation:


    from functools import wraps
    from flask import request, Response, redirect, Flask
    from bokeh.util import session_id

    app = Flask(__name__)

    def check_auth(username, password):
        return username == 'valid_user' and password == 'valid_password'

    def authenticate():
        """Sends a 401 response that enables basic auth"""
        return Response(
        'Could not verify your access level for that URL.\n'
        'You have to login with proper credentials', 401,
        {'WWW-Authenticate': 'Basic realm="Login Required"'})

    def requires_auth(f):
        @wraps(f)
        def decorated(*args, **kwargs):
            auth = request.authorization
            if not auth or not check_auth(auth.username, auth.password):
                return authenticate()
            return f(*args, **kwargs)
        return decorated

    @app.route('/')
    @requires_auth
    def redirect_to_bokeh():
        s_id = session_id.generate_session_id()
        return redirect("http://<bokeh-server-addr>:<port>/?bokeh-session-id={}".format(s_id), code=302)

    if __name__ == "__main__":
        app.run()
  1. Now to access bokeh server user should go to Flask application and specify login and password.
timur
  • 198
  • 1
  • 2
  • 10