Hi folks, I'm thinking of writing a Jupyter server extension to provide an endpoint that another service in our ecosystem would call.
In our environment we're proxying all HTTP traffic between the user and the notebook, so we could plausibly prevent the user hitting our new endpoint if we wanted. I see from the Jupyter server API that users can access and update the Jupyter configuration. This leads me to a few questions: 1. Does this extend to editing NotebookApp.nbserver_extensions, i.e. editing the list of installed extensions? Would users therefore be able to disable our server extension, or worse, replace it with one of their own? 2. What would users miss out on if we blocked access to the /config endpoints? 3. Aside from hitting /config, are there other ways that users can mess with the server environment? Should we, as administrators of a Jupyter server, consider the entire server and notebook environment open to modification by users -- or is their power to tinker limited in some way? Thanks, -Hussein -- You received this message because you are subscribed to the Google Groups "Project Jupyter" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/22d4939f-fa04-4d3f-b50c-054c0f651277%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
