Tensorboard: authentication and authorization support

Created on 25 Jul 2017  路  5Comments  路  Source: tensorflow/tensorboard

Is there any plan to introduce authentication and authorization support into TensorBoard?
Some simple examples of authorization,

  • Only users belong to a white list could access this TB server.
  • Client must within a particular network sub-domain.
picture anfeng

Most helpful comment

How about just a long hash at the end of the URL for a uniqe address, similar to what jupyter-lab does?
This would at least allow HPC facilities to support this software. Using an nginx would not be practical in a shared environment where compute nodes have several users on them at a time.

picture jdhayes on 26 Feb 2020
👍7

All 5 comments

Yes indeed. We're planning to build a TensorBoard service with a new scalable storage layer. It will be multi-tenant with ACLs and all that good stuff. See https://github.com/tensorflow/tensorboard/issues/92

jart picture jart on 25 Jul 2017

Mmmh, so now that #92 has been closed because it's "too ambitious", what's the plan to enable authentication?

The lack of any kind of authentication/authorization mechanism makes Tensorboard pretty much unusable outside of a developer laptop. It can't be reasonably used on any shared, multi-tenant environment.

kcgthb picture kcgthb on 24 Aug 2018

We don't have any near-term plans to add auth mechanisms directly to TensorBoard, but it's possible today to run TensorBoard behind an authenticating reverse proxy like nginx, or since it's a WSGI app under the hood, run a slightly modified TensorBoard with some WSGI auth middleware.

Putting auth directly in TensorBoard would mean taking on a significant extra responsibility (since it's something that would be crucial to get right) and it would be very challenging to build something that would satisfy all use cases, even for example supporting authentication mechanisms for web (e.g. openID) vs offline/private (e.g. dedicated username/pw stored in TensorBoard or something like LDAP) requires substantially different work. So I suspect that even if we continue with various parts of #92, we would be more likely to support auth via the underlying server platform rather than directly inside TensorBoard.

nfelt picture nfelt on 24 Aug 2018

How about just a long hash at the end of the URL for a uniqe address, similar to what jupyter-lab does?
This would at least allow HPC facilities to support this software. Using an nginx would not be practical in a shared environment where compute nodes have several users on them at a time.

jdhayes picture jdhayes on 26 Feb 2020
👍7

Hi @jdhayes, I just found that you can manually set a unique address with --path_prefix option.
How about launching TensorBoard with tensorboard --path_prefix /$(openssl rand -hex 24)

I'm not sure this is secure enough.

Edit: I found the above command is insecure because you can find the hash by ps aux.

yoshipon picture yoshipon on 11 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

KylePiira picture KylePiira  路  4Comments
neouyghur picture neouyghur  路  3Comments
datlife picture datlife  路  4Comments
yaroslavvb picture yaroslavvb  路  4Comments
ismael-elatifi picture ismael-elatifi  路  3Comments