Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit job launch rate/add auth #28

Open
crbates opened this issue Mar 12, 2014 · 7 comments
Open

Limit job launch rate/add auth #28

crbates opened this issue Mar 12, 2014 · 7 comments

Comments

@crbates
Copy link

crbates commented Mar 12, 2014

Limit the number of jobs that can be launched per minute/hour/day to reasonable numbers and/or add authentication to address @cbrachem's concerns about bot attacks.

@scopatz
Copy link
Member

scopatz commented Mar 12, 2014

I like the rate throttling technique a bit more than authentication

@crbates
Copy link
Author

crbates commented Mar 13, 2014

I haven't used flask before but looking at the docs I think it should be pretty simple to add throttling (and maybe some statistics and possibly https://github.com/flot/flot plots because once I learn flask I may as well bring something to the table) and ajaxify the post method (I can't stand waiting for the post :) ). I will check it out this weekend.

@scopatz
Copy link
Member

scopatz commented Mar 13, 2014

That would be awesome @crbates! Flask is super simple, btw - though we abuse it a bit here.

@cbrachem
Copy link

The big question here is if we want a method of data storage/some sort of database and the associated dependencies. Without some permanent storage, we could:

  1. Add HTTP Basic Auth with a username and password (or a list of them) given in the configuration file (don't worry, the password would of course be hashed). This would require an additional flag in the configuration if using Apache as a front end server, because by default, Apache doesn't pass HTTP Auth headers via WSGI to the user. (Presumably because the .htaccess/.htpasswd method is so prevalent.)
  2. The same as 1., but with a web based login form instead of HTTP Auth.
  3. Implement a simple rate limiting with a deque, which would allow for at most X sumbmissions in Y seconds. (This is really simple and takes only a few lines of code.)
  4. (I really don't know if this will work:) Use OAuth to only grant access to owners of the corresponding GitHub project. Since Polyphemus interfaces with GitHub directly, this would feel all nice and integrated, since user management for the project is all done in one place.

With external storage (sqlite maybe?) we could have...well...anything. Custom user/rights management, sophisticated throttling rules, plots and statistics, you name it. But I don't know in which direction you want to go with this dashboard. Is this just supposed to be a plain and simple "click this to manually run a test" page, or should this eveolve into some other, bigger thing?

@crbates
Copy link
Author

crbates commented Mar 15, 2014

though we abuse it a bit here.

I think a bit would be putting it lightly. I will look at this more when I have some more time but this whole flask obfuscated by polyphemus plugins seems like a recipe for difficult to track down errors to quick and dirty solutions. I still think stats and charts would be really nice to add but my bandwidth is currently -- .

@scopatz
Copy link
Member

scopatz commented Mar 15, 2014

Yeah, I couldn't think of a better way to do this without wholesale just writing django plugins or buying into some other big framework. Flask functions just show up here as plugin methods. It should be noted that not all polyphemus plugins are web services. Sometimes you just want to add steps to the execution pipeline. All apologies if it doesn't immediately fit your brain :)

@crbates
Copy link
Author

crbates commented Mar 23, 2014

I just made the mistake of reading flask docs before polyphemus docs. Now that pyne/pyne#338 is mostly ready I will probably hack something together for this tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants