Securing a Livebook using an external source

I have an Elixir/Phoenix application that’s deployed in a container. When I run locally, I’m able to start up a Livebook container alongside it and connect to its runtime using the LIVEBOOK_DEFAULT_RUNTIME=attached:sname:cookie setting. It works great in development, and I’ve been able to deploy it to AWS Elastic Container Service as well by including the app container and the live book container in the same task definition.

I’d like to keep this available as a “power user admin” option so that people with designated admin access to the application can get into the Livebook and do some scripted/maintenance/one-off things the app’s UI doesn’t support directly. (We currently do this by using AWS Session Manager to open a command line session inside the running container and then using bin/APP_NAME remote to attach to the console. Obviously Livebook offers a whole lot of advantages compared to the current approach.)

The problem is user authentication and security. I initially thought about just mounting Livebook like we currently do with LiveDashboard so we could control access with our existing router pipeline, but I understand that’s not a supported use case.

Is there some other way to hook into Livebook’s security model and have it check with some external source (or even a function / plug within the connected runtime) to determine whether a request should be allowed to proceed? Livebook would be running at the same hostname (on a different port), so the request would include the same JWT that gets passed to the main application.

There is an open discussion to support Joken headers and we will support it sooner than later but nothing at the moment.

1 Like