From 4129339077cf21b27ffd0366090548f01c4024b4 Mon Sep 17 00:00:00 2001
From: Jacob Tomlinson <jtomlinson@nvidia.com>
Date: Tue, 2 Aug 2022 09:57:36 +0100
Subject: [PATCH] Fix Jupyter security note

---
 distributed/scheduler.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/distributed/scheduler.py b/distributed/scheduler.py
index 2f3559c34fe..58a0a88b0e2 100644
--- a/distributed/scheduler.py
+++ b/distributed/scheduler.py
@@ -3020,9 +3020,11 @@ def __init__(
                     {
                         "ServerApp": {
                             "base_url": "jupyter",
-                            # SECURITY: in this context we expect this to be safe, as
-                            # if a client can connect to the scheduler they can already
-                            # run arbitrary code.
+                            # SECURITY: We usually expect the dashboard to be a read-only view into
+                            # the scheduler activity. However, by adding an open Jupyter application
+                            # we are allowing arbitrary remote code execution on the scheduler via the
+                            # dashboard server. This option should only be used when the dashboard is
+                            # protected via other means, or when you don't care about cluster security.
                             "token": "",
                             "allow_remote_access": True,
                         }