The SDSC Satellite Reverse Proxy Service for Launching Secure Jupyter Notebooks on High-Performance Computing Systems
Mary P Thomas, Martin Kandes, James McDougall, Dmitry Mishin, Scott Sakai, Subhashini Sivagnanam, Mahidhar Tatineni
TL;DR
The paper addresses the security and usability challenges of running single-user Jupyter Notebooks on HPC systems by introducing the SDSC Satellite Proxy Service, a token-authenticated HTTPS reverse proxy that provides a secure, single URL for notebook access. It couples Satellite with a Jupyter Spawner Client to automate notebook provisioning on HPC resources via batch systems, avoiding insecure direct exposure and login-node deployments. The approach is proven in production since 2020, supporting CPU/GPU nodes and Singularity containers, and has been adopted for training and broader deployment, reducing friction for secure notebook usage. The work offers a practical, scalable method for securely exposing Jupyter-based workflows on HPC facilities and suggests extensions to support broader applications and portal integrations.
Abstract
Using Jupyter notebooks in an HPC environment exposes a system and its users to several security risks. The Satellite Proxy Service, developed at SDSC, addresses many of these security concerns by providing Jupyter Notebook servers with a token-authenticated HTTPS reverse proxy through which end users can access their notebooks securely with a single URL copied and pasted into their web browser.