...
- we have a pool of EC2 hosts running RStudio server behind a load balancer with CNAME rstudio.sagebase.org
- early on we start out with just a single host, no load balancer, but still use the CNAME
- our services and the custom RStudio auth plugin share a secret key for use in HMAC-SHA1 computation
- if someone on Synapse wants to use RStudio, we redirect them to https://rstudio.sagebase.org:8787/auth-sign-in?securityToken=XXXXXXXX&expires=1317916890&signature=rucSbH0yNEcP9oM2XNlouVI3BH4%3D
- assumption: not sure whether the securityToken is the Synapse sessionToken or batch API key, either way we may want to re-encrypt it if we are displaying it in clear text in the https url
- this url must be used within 5 minutes to start an RStudio session
- the RStudio auth plugin re-computes the signature on securityToken=XXXXXXXX&expires=1317916890
- if it doesn’t match, the user gets a helpful error message
- if it does match, but the url has expired, the user gets a helpful error message
- if it does match and the url is not expired
- we use a stable method to compute a unix username from the Synapse securityToken no longer than 32 characters
- useradd and make the home directory
- TODO: RStudio Server doesn't run as root so it may contact some daemon of ours running on the box to do the things requiring root privilege
- put a default .Rprofile in the new home directory to
- load and log them into the R Synapse client
library(synapseClient); sessionToken(securityToken) - add a package installation directory under the user's home dir if they want to install their own R packages
- perhaps configure utilization the shared cache of Synapse data (if we can sort out the data security issues)
- load and log them into the R Synapse client
- When the users logs out, nuke that unix account and the home directory