Limit job launch rate/add auth

[crbates]

Limit the number of jobs that can be launched per minute/hour/day to reasonable numbers and/or add authentication to address @cbrachem's concerns about bot attacks.

[scopatz]

I like the rate throttling technique a bit more than authentication

[crbates]

I haven't used flask before but looking at the docs I think it should be pretty simple to add throttling (and maybe some statistics and possibly https://github.com/flot/flot plots because once I learn flask I may as well bring something to the table) and ajaxify the post method (I can't stand waiting for the post :) ). I will check it out this weekend.

[scopatz]

That would be awesome @crbates! Flask is super simple, btw - though we abuse it a bit here.

[cbrachem]

The big question here is if we want a method of data storage/some sort of database and the associated dependencies. Without some permanent storage, we could:

1. Add HTTP Basic Auth with a username and password (or a list of them) given in the configuration file (don't worry, the password would of course be hashed). This would require an additional flag in the configuration if using Apache as a front end server, because by default, Apache doesn't pass HTTP Auth headers via WSGI to the user. (Presumably because the .htaccess/.htpasswd method is so prevalent.)
2. The same as 1., but with a web based login form instead of HTTP Auth.
3. Implement a simple rate limiting with a deque, which would allow for at most X sumbmissions in Y seconds. (This is really simple and takes only a few lines of code.)
4. (I really don't know if this will work:) Use OAuth to only grant access to owners of the corresponding GitHub project. Since Polyphemus interfaces with GitHub directly, this would feel all nice and integrated, since user management for the project is all done in one place.

With external storage (sqlite maybe?) we could have...well...anything. Custom user/rights management, sophisticated throttling rules, plots and statistics, you name it. But I don't know in which direction you want to go with this dashboard. Is this just supposed to be a plain and simple "click this to manually run a test" page, or should this eveolve into some other, bigger thing?

[crbates]

though we abuse it a bit here.

I think a bit would be putting it lightly. I will look at this more when I have some more time but this whole flask obfuscated by polyphemus plugins seems like a recipe for difficult to track down errors to quick and dirty solutions. I still think stats and charts would be really nice to add but my bandwidth is currently -- .

[scopatz]

Yeah, I couldn't think of a better way to do this without wholesale just writing django plugins or buying into some other big framework. Flask functions just show up here as plugin methods. It should be noted that not all polyphemus plugins are web services. Sometimes you just want to add steps to the execution pipeline. All apologies if it doesn't immediately fit your brain :)

[crbates]

I just made the mistake of reading flask docs before polyphemus docs. Now that pyne/pyne#338 is mostly ready I will probably hack something together for this tomorrow.