Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ENH] - Prefer use of jupyter_server_config.json over jupyter_server_config.py #2248

Open
krassowski opened this issue Feb 15, 2024 · 4 comments
Open

[ENH] - Prefer use of jupyter_server_config.json over jupyter_server_config.py #2248

krassowski opened this issue Feb 15, 2024 · 4 comments
Labels
area: security 🔐 type: enhancement 💅🏼 New feature or request

Comments

@krassowski
Copy link
Member

Feature description

jupyter_server_config.py is used but jupyter_server_config.json is potentially a safer option as it does not execute any code.

Value and/or benefit

When configuration owner makes a typo they are less likely to break the setup.

This does not have a direct security implication in a container, but has an indirect implication such that if the config enables a security feature but gets broken by a invalid character in the input variable (which is more likely with .py files) then the security feature would not be enabled.

Anything else?

No response
@krassowski
Copy link
Member Author

Of note imported values such as:

nebari/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyter/jupyter_server_config.py.tpl

Lines 44 to 49 in 858ca5f

from argo_jupyter_scheduler.executor import ArgoExecutor
from argo_jupyter_scheduler.scheduler import ArgoScheduler
c.Scheduler.execution_manager_class=ArgoExecutor
c.SchedulerApp.scheduler_class=ArgoScheduler
c.SchedulerApp.scheduler_class.use_conda_store_env=True

can be provided on a static traitlet using a dotted value (see how the default value is defined in here).

@krassowski krassowski mentioned this issue Mar 3, 2024
Closed
@krassowski
Copy link
Member Author

Another argument for moving to JSON is that terraform can validate JSON files after templating (because there are jsonencode/jsondecode functions which will throw if there is a syntax error), but it cannot do that for python files.

@krassowski
Copy link
Member Author

But the downside is that terraform by default does not support json5 so it would not be possible to keep the comments in (unless we do manual preprocessing/terraform plugin). Also cull_inactive_timeout and similar are multiplied by 60 in the Python file, this logic would need to be moved or definitions changed.

@krassowski
Copy link
Member Author

terraform can validate JSON files [...] but it cannot do that for python files.

I found a way to validate syntax errors for Python files using local-exec in resource as implemented in #2286

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: security 🔐 type: enhancement 💅🏼 New feature or request
Projects
🪴 Nebari Project Management
Status: New 🚦
Milestone
No milestone
Development

No branches or pull requests
1 participant
@krassowski