Fix Jupyter security note (#6818)

dask · Aug 2, 2022 · 4f6960a · 4f6960a
1 parent 10b3450
commit 4f6960a
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/distributed/scheduler.py b/distributed/scheduler.py
@@ -3020,9 +3020,11 @@ def __init__(
                     {
                         "ServerApp": {
                             "base_url": "jupyter",
-                            # SECURITY: in this context we expect this to be safe, as
-                            # if a client can connect to the scheduler they can already
-                            # run arbitrary code.
+                            # SECURITY: We usually expect the dashboard to be a read-only view into
+                            # the scheduler activity. However, by adding an open Jupyter application
+                            # we are allowing arbitrary remote code execution on the scheduler via the
+                            # dashboard server. This option should only be used when the dashboard is
+                            # protected via other means, or when you don't care about cluster security.
                             "token": "",
                             "allow_remote_access": True,
                         }