Merge pull request #280 from jupyter-on-openshift/master

Add whitelist for environment variables to be inherited from gateway process by kernel.

Author: rolweber

docs/source/config-options.md

@@ -179,6 +179,10 @@ KernelGatewayApp options
     Default: None
     Runs the notebook (.ipynb) at the given URI on every kernel launched. No
     seed by default. (KG_SEED_URI env var)
+--KernelGatewayApp.env_process_whitelist=<List>
+    Default: []
+    Environment variables allowed to be inherited from current process by a
+    new kernel.
 
 NotebookHTTPPersonality options
 -------------------------------

kernel_gateway/gatewayapp.py

@@ -17,7 +17,7 @@
 except ImportError:
     from urllib.parse import urlparse
 
-from traitlets import Unicode, Integer, default, observe, Type, Instance
+from traitlets import Unicode, Integer, default, observe, Type, Instance, List
 
 from jupyter_core.application import JupyterApp, base_aliases
 from jupyter_client.kernelspec import KernelSpecManager
@@ -232,6 +232,14 @@ def default_kernel_name_default(self):
     def force_kernel_name_default(self):
         return os.getenv(self.force_kernel_name_env, '')
 
+    env_process_whitelist_env = 'KG_ENV_PROCESS_WHITELIST'
+    env_process_whitelist = List(config=True,
+                                 help="""Environment variables allowed to be inherited from the spawning process by the kernel""")
+
+    @default('env_process_whitelist')
+    def env_process_whitelist_default(self):
+        return os.getenv(self.env_process_whitelist_env, '').split(',')
+
     api_env = 'KG_API'
     api_default_value = 'kernel_gateway.jupyter_websocket'
     api = Unicode(api_default_value,
@@ -444,6 +452,7 @@ def init_webapp(self):
             kg_expose_headers=self.expose_headers,
             kg_max_age=self.max_age,
             kg_max_kernels=self.max_kernels,
+            kg_env_process_whitelist=self.env_process_whitelist,
             kg_api=self.api,
             kg_personality=self.personality,
             # Also set the allow_origin setting used by notebook so that the

kernel_gateway/services/kernels/handlers.py

@@ -23,6 +23,10 @@ class MainKernelHandler(TokenAuthorizationMixin,
     def env_whitelist(self):
         return self.settings['kg_personality'].env_whitelist
 
+    @property
+    def env_process_whitelist(self):
+        return self.settings['kg_env_process_whitelist']
+
     @gen.coroutine
     def post(self):
         """Overrides the super class method to honor the max number of allowed
@@ -53,7 +57,10 @@ def post(self):
             # Start with the PATH from the current env. Do not provide the entire environment
             # which might contain server secrets that should not be passed to kernels.
             env = {'PATH': os.getenv('PATH', '')}
-            # Whitelist KERNEL_* args and those allowed by configuration
+            # Whitelist environment variables from current process environment
+            env.update({key: value for key, value in os.environ.items()
+                   if key in self.env_process_whitelist})
+            # Whitelist KERNEL_* args and those allowed by configuration from client
             env.update({key: value for key, value in model['env'].items()
                    if key.startswith('KERNEL_') or key in self.env_whitelist})
             # No way to override the call to start_kernel on the kernel manager