Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 0.7.0
    • Fix Version/s: 0.7.0
    • Component/s: rest-api, security
    • Labels:
      None

      Description

      Notebook rest api endpoint doesnt provide any security check of any kind, that meant that any body can use the rest api and do whatever they want.

        Issue Links

          Activity

          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho opened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?
                Bring some security check in `NotebookRestApi`.
              1. What type of PR is it?
                [Bug Fix | Improvement | Refactoring]
              1. Todos
          • [ ] - Create a proper way to throw webapp error
          • [ ] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
          • [ ] - Add Authorization check in `NotebookRestapi`
              1. What is the Jira issue?
              1. How should this be tested?
                First, force Zeppelin to use auth.
          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)
                ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567


          commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T05:49:10Z

          Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T07:22:13Z

          Add new method to help to determinate if user is part of writer and/or owner for the given note

          commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:56:04Z

          Add new method to check if user and roles are member of the note (at least owner, reader, writer)

          commit 43ec38932300db156a602507ae82a34a0b416257
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:57:06Z

          Replace check of aninonimous by method

          commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:32Z

          Add webapp exception handler

          commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:54Z

          Handle security check

          commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-29T05:58:04Z

          Rename permission check note :: be more meaningful


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho opened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [ ] - Create a proper way to throw webapp error [ ] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [ ] - Add Authorization check in `NotebookRestapi` What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 commit a69a4e10c46452dcaaf8174c37e51705d6bc3214 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit 859fba52799bc1690b0726dc6dc672f9c4b016a7 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 43ec38932300db156a602507ae82a34a0b416257 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho reopened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567


          commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T05:49:10Z

          Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T07:22:13Z

          Add new method to help to determinate if user is part of writer and/or owner for the given note

          commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:56:04Z

          Add new method to check if user and roles are member of the note (at least owner, reader, writer)

          commit 43ec38932300db156a602507ae82a34a0b416257
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:57:06Z

          Replace check of aninonimous by method

          commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:32Z

          Add webapp exception handler

          commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:54Z

          Handle security check

          commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-29T05:58:04Z

          Rename permission check note :: be more meaningful

          commit a1cc1b81bd8f69f068803e6e87d110805905a039
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T03:33:20Z

          Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [ ] - Add Authorization check in `NotebookRestapi` What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 commit a69a4e10c46452dcaaf8174c37e51705d6bc3214 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit 859fba52799bc1690b0726dc6dc672f9c4b016a7 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 43ec38932300db156a602507ae82a34a0b416257 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit a1cc1b81bd8f69f068803e6e87d110805905a039 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho reopened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567


          commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T05:49:10Z

          Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T07:22:13Z

          Add new method to help to determinate if user is part of writer and/or owner for the given note

          commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:56:04Z

          Add new method to check if user and roles are member of the note (at least owner, reader, writer)

          commit 43ec38932300db156a602507ae82a34a0b416257
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:57:06Z

          Replace check of aninonimous by method

          commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:32Z

          Add webapp exception handler

          commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:54Z

          Handle security check

          commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-29T05:58:04Z

          Rename permission check note :: be more meaningful

          commit a1cc1b81bd8f69f068803e6e87d110805905a039
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T03:33:20Z

          Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 commit a69a4e10c46452dcaaf8174c37e51705d6bc3214 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit 859fba52799bc1690b0726dc6dc672f9c4b016a7 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 43ec38932300db156a602507ae82a34a0b416257 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit a1cc1b81bd8f69f068803e6e87d110805905a039 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho reopened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567


          commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T05:49:10Z

          Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T07:22:13Z

          Add new method to help to determinate if user is part of writer and/or owner for the given note

          commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:56:04Z

          Add new method to check if user and roles are member of the note (at least owner, reader, writer)

          commit 43ec38932300db156a602507ae82a34a0b416257
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:57:06Z

          Replace check of aninonimous by method

          commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:32Z

          Add webapp exception handler

          commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:54Z

          Handle security check

          commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-29T05:58:04Z

          Rename permission check note :: be more meaningful

          commit a1cc1b81bd8f69f068803e6e87d110805905a039
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T03:33:20Z

          Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 commit a69a4e10c46452dcaaf8174c37e51705d6bc3214 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit 859fba52799bc1690b0726dc6dc672f9c4b016a7 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 43ec38932300db156a602507ae82a34a0b416257 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit a1cc1b81bd8f69f068803e6e87d110805905a039 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user minahlee commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          Thank you for quick response, I only went through the code and it looks good to me. It would be nice if you can add some tests. Meanwhile let me build this branch and test it out.

          Show
          githubbot ASF GitHub Bot added a comment - Github user minahlee commented on the issue: https://github.com/apache/zeppelin/pull/1567 Thank you for quick response, I only went through the code and it looks good to me. It would be nice if you can add some tests. Meanwhile let me build this branch and test it out.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @minahlee yeah, actually i am doing this right now, I also updated to todo tasks thanks for your review!

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 @minahlee yeah, actually i am doing this right now, I also updated to todo tasks thanks for your review!
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user minahlee commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          I tested some of rest apis and it works well. Next step would be applying same policies to websocket. For example `reader` cannot change bound interpreter to note via rest api after this PR, but it is possible to do it via websocket(or GUI).

          Show
          githubbot ASF GitHub Bot added a comment - Github user minahlee commented on the issue: https://github.com/apache/zeppelin/pull/1567 I tested some of rest apis and it works well. Next step would be applying same policies to websocket. For example `reader` cannot change bound interpreter to note via rest api after this PR, but it is possible to do it via websocket(or GUI).
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @minahlee you are right, I guess the next step will be to abstract this logic from rest api and apply to both rest and websocket.

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 @minahlee you are right, I guess the next step will be to abstract this logic from rest api and apply to both rest and websocket.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user tae-jun commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          I also tested and was able to reproduce screenshot above.

          When I was another user, it returned `403` status code with message:
          ```json

          {"status":"FORBIDDEN","message":"Insufficient privileges you cannot get this note"}

          ```

          However, when I didn't log in (i.e. anonymous), the browser(Chrome) redirected me to `http://localhost:8080/api/login` and returned `405` status code without any message. Users can be confused when there is no error message. And I think `403` status code is more proper since it's `forbidden`, not `method not allowed`.

          So in my opinion, it would be better:

          • Send `403` status code with some messages when a user is not logged in. Maybe something like:
            ```json {"status":"FORBIDDEN","message":"Please log in"}

            ```

          This is a miracle feature, by the way 👍

          Show
          githubbot ASF GitHub Bot added a comment - Github user tae-jun commented on the issue: https://github.com/apache/zeppelin/pull/1567 I also tested and was able to reproduce screenshot above. When I was another user, it returned `403` status code with message: ```json {"status":"FORBIDDEN","message":"Insufficient privileges you cannot get this note"} ``` However, when I didn't log in (i.e. anonymous), the browser(Chrome) redirected me to ` http://localhost:8080/api/login ` and returned `405` status code without any message. Users can be confused when there is no error message. And I think `403` status code is more proper since it's `forbidden`, not `method not allowed`. So in my opinion, it would be better: Send `403` status code with some messages when a user is not logged in. Maybe something like: ```json {"status":"FORBIDDEN","message":"Please log in"} ``` This is a miracle feature, by the way 👍
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @tae-jun thanks for the feedback, let me take a look tomorrow

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 @tae-jun thanks for the feedback, let me take a look tomorrow
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @tae-jun After looking at the code base, I think this case should be handle in another PR, this is kinda out of the scope of this PR and its already becoming super big.

          But your made a very valid point here and I guess it deserve a Jira ticket. i will try to find some time to handle this special case.

          What do you think?

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 @tae-jun After looking at the code base, I think this case should be handle in another PR, this is kinda out of the scope of this PR and its already becoming super big. But your made a very valid point here and I guess it deserve a Jira ticket. i will try to find some time to handle this special case. What do you think?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user tae-jun commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @anthonycorbacho Nice! I agree with you

          I will open the issue on JIRA. But since I don't know much about the code structure, I may need some help 😃

          Show
          githubbot ASF GitHub Bot added a comment - Github user tae-jun commented on the issue: https://github.com/apache/zeppelin/pull/1567 @anthonycorbacho Nice! I agree with you I will open the issue on JIRA. But since I don't know much about the code structure, I may need some help 😃
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @zjffdu Hey dudy I keep failing at Livy interpreter, i dont know why but i keep getting timeout somehow, can you take a look t it please? It also look like other pr are failing at the same stage

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 @zjffdu Hey dudy I keep failing at Livy interpreter, i dont know why but i keep getting timeout somehow, can you take a look t it please? It also look like other pr are failing at the same stage
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho reopened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos
          • [x] - Create a proper way to throw webapp error
          • [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
          • [x] - Add Authorization check in `NotebookRestapi`
          • [x] - Add New test for security in notebook rest api
              1. What is the Jira issue?

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567


          commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T05:49:10Z

          Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T07:22:13Z

          Add new method to help to determinate if user is part of writer and/or owner for the given note

          commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:56:04Z

          Add new method to check if user and roles are member of the note (at least owner, reader, writer)

          commit 43ec38932300db156a602507ae82a34a0b416257
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:57:06Z

          Replace check of aninonimous by method

          commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:32Z

          Add webapp exception handler

          commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:54Z

          Handle security check

          commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-29T05:58:04Z

          Rename permission check note :: be more meaningful

          commit a1cc1b81bd8f69f068803e6e87d110805905a039
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T03:33:20Z

          Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException

          commit 0cf19d2c41b288dc3a02cefc64de07c30b91e9ec
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T08:24:38Z

          Fix typo and bad copy paste for isOwner

          commit 2fd359cda8fe8aab72177c9c8c59b5bde3eb1c6c
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T08:30:17Z

          Adress review and fix typos

          commit 4768e3a73f3cec87c86ab8cabb05a7fe483aa922
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T14:48:14Z

          Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user

          commit 1055a837cb138d86618c895b71346d95f743496e
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T14:49:00Z

          Simple implementation of notebook test with shiro (security)

          commit 15c776d5889bd9c9d06d6246c3101aa1a2f4cb6d
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T14:49:26Z

          Rewording

          commit 216b5cdd32183d9907ce33f8a91713909e790404
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-02T03:24:43Z

          Fix typo


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` [x] - Add New test for security in notebook rest api What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 commit a69a4e10c46452dcaaf8174c37e51705d6bc3214 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit 859fba52799bc1690b0726dc6dc672f9c4b016a7 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 43ec38932300db156a602507ae82a34a0b416257 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit a1cc1b81bd8f69f068803e6e87d110805905a039 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException commit 0cf19d2c41b288dc3a02cefc64de07c30b91e9ec Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T08:24:38Z Fix typo and bad copy paste for isOwner commit 2fd359cda8fe8aab72177c9c8c59b5bde3eb1c6c Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T08:30:17Z Adress review and fix typos commit 4768e3a73f3cec87c86ab8cabb05a7fe483aa922 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T14:48:14Z Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user commit 1055a837cb138d86618c895b71346d95f743496e Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T14:49:00Z Simple implementation of notebook test with shiro (security) commit 15c776d5889bd9c9d06d6246c3101aa1a2f4cb6d Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T14:49:26Z Rewording commit 216b5cdd32183d9907ce33f8a91713909e790404 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-02T03:24:43Z Fix typo
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @tae-jun creating an issue doenst mean that you have to handle it, of course if you want you are welcome to do so, but remember we are a community so that mean we are here to help each others so if you create the PR i can spend some time and work with you on it

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 @tae-jun creating an issue doenst mean that you have to handle it, of course if you want you are welcome to do so, but remember we are a community so that mean we are here to help each others so if you create the PR i can spend some time and work with you on it
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user tae-jun commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          @anthonycorbacho Thanks Don't worry! I do this because I want to do 😄

          Show
          githubbot ASF GitHub Bot added a comment - Github user tae-jun commented on the issue: https://github.com/apache/zeppelin/pull/1567 @anthonycorbacho Thanks Don't worry! I do this because I want to do 😄
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho reopened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos
          • [x] - Create a proper way to throw webapp error
          • [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
          • [x] - Add Authorization check in `NotebookRestapi`
          • [x] - Add New test for security in notebook rest api
              1. What is the Jira issue?

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567


          commit 4a43b07c05026698fe268b4b45913a3b0f007f74
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T05:49:10Z

          Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit da3415f3b3c12d72e0466a736ccaa0a3231c79ed
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T07:22:13Z

          Add new method to help to determinate if user is part of writer and/or owner for the given note

          commit 0e4cc3c974cb52b8e6e039375c4748bc89665201
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:56:04Z

          Add new method to check if user and roles are member of the note (at least owner, reader, writer)

          commit 21f9288ef7225f56c6a9d92d26209b7440d64c6a
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T09:57:06Z

          Replace check of aninonimous by method

          commit fe380abf6fc839f316a0eeaae43b3a1e44d58df9
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:32Z

          Add webapp exception handler

          commit 6030776cd867f7575010ee7fa99e0b0782d308dd
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-28T11:19:54Z

          Handle security check

          commit ed404a4e331e28f76cc2a28ebc3498d3343da34e
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-10-29T05:58:04Z

          Rename permission check note :: be more meaningful

          commit c8c42b26a0b7403a02f90cce62336c2eb9498873
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T03:33:20Z

          Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException

          commit eacfa8eee2fde6d9fb1f3f8fc52b7b7967b6c665
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T08:24:38Z

          Fix typo and bad copy paste for isOwner

          commit db0c39c4a14d7a97b5d7caec3d332056d0773920
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T08:30:17Z

          Adress review and fix typos

          commit b412266b4dd73fd005a403b77acdec0599e55b3a
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T14:48:14Z

          Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user

          commit decd1e9c6c32f761a806e2367eeaa94121931631
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T14:49:00Z

          Simple implementation of notebook test with shiro (security)

          commit bab7e600780e19533b59c56e7c4b7e32e8841efc
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-01T14:49:26Z

          Rewording

          commit 49d4db9eff1fe908d9256ded67f21d53fa48e4d8
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-02T03:24:43Z

          Fix typo


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` [x] - Add New test for security in notebook rest api What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 commit 4a43b07c05026698fe268b4b45913a3b0f007f74 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit da3415f3b3c12d72e0466a736ccaa0a3231c79ed Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 0e4cc3c974cb52b8e6e039375c4748bc89665201 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 21f9288ef7225f56c6a9d92d26209b7440d64c6a Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit fe380abf6fc839f316a0eeaae43b3a1e44d58df9 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler commit 6030776cd867f7575010ee7fa99e0b0782d308dd Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit ed404a4e331e28f76cc2a28ebc3498d3343da34e Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit c8c42b26a0b7403a02f90cce62336c2eb9498873 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException commit eacfa8eee2fde6d9fb1f3f8fc52b7b7967b6c665 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T08:24:38Z Fix typo and bad copy paste for isOwner commit db0c39c4a14d7a97b5d7caec3d332056d0773920 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T08:30:17Z Adress review and fix typos commit b412266b4dd73fd005a403b77acdec0599e55b3a Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T14:48:14Z Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user commit decd1e9c6c32f761a806e2367eeaa94121931631 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T14:49:00Z Simple implementation of notebook test with shiro (security) commit bab7e600780e19533b59c56e7c4b7e32e8841efc Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-01T14:49:26Z Rewording commit 49d4db9eff1fe908d9256ded67f21d53fa48e4d8 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-02T03:24:43Z Fix typo
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user anthonycorbacho reopened a pull request:

          https://github.com/apache/zeppelin/pull/1567

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos
          • [x] - Create a proper way to throw webapp error
          • [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
          • [x] - Add Authorization check in `NotebookRestapi`
          • [x] - Add New test for security in notebook rest api
              1. What is the Jira issue?

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1567.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1567



          Show
          githubbot ASF GitHub Bot added a comment - GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567 ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` [x] - Add New test for security in notebook rest api What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user minahlee commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          Same Spark 1.3.1 test profile failure exists on master which looks like below:
          ```
          Results :

          Tests in error:
          InterpreterRestApiTest.init:57->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          CredentialsRestApiTest.init:46->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          ZeppelinRestApiTest.init:59->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          NotebookRestApiTest.init:58->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          SecurityRestApiTest.init:44->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          NotebookRepoRestApiTest.init:52->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          ConfigurationsRestApiTest.init:39->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          ZeppelinSparkClusterTest.init:52->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
          NotebookSecurityRestApiTest.init:49->AbstractTestRestApi.startUpWithAuthenticationEnable:229->AbstractTestRestApi.start:201 » NullPointer

          Tests run: 9, Failures: 0, Errors: 9, Skipped: 0
          ```
          So I am going to merge this if there is no more discussion.

          Show
          githubbot ASF GitHub Bot added a comment - Github user minahlee commented on the issue: https://github.com/apache/zeppelin/pull/1567 Same Spark 1.3.1 test profile failure exists on master which looks like below: ``` Results : Tests in error: InterpreterRestApiTest.init:57->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer CredentialsRestApiTest.init:46->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer ZeppelinRestApiTest.init:59->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer NotebookRestApiTest.init:58->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer SecurityRestApiTest.init:44->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer NotebookRepoRestApiTest.init:52->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer ConfigurationsRestApiTest.init:39->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer ZeppelinSparkClusterTest.init:52->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer NotebookSecurityRestApiTest.init:49->AbstractTestRestApi.startUpWithAuthenticationEnable:229->AbstractTestRestApi.start:201 » NullPointer Tests run: 9, Failures: 0, Errors: 9, Skipped: 0 ``` So I am going to merge this if there is no more discussion.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user tae-jun commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          I guess it's same CI error with #1518.

          There is a log which is:
          ```bash
          gzip: stdin: unexpected end of file
          tar: Unexpected EOF in archive
          tar: Unexpected EOF in archive
          tar: Error is not recoverable: exiting now
          +echo 'Unable to extract spark-1.3.1-bin-hadoop2.3.tgz'
          Unable to extract spark-1.3.1-bin-hadoop2.3.tgz
          ```

          This is because of cache failure of Travis CI, and if it happens, it goes forever. Because caching is done only at the first time.

          Because of this, if you follow the log more, you can see:
          ```bash
          SPARK HOME detected null
          ```
          Therefore, Zeppelin cannot find Spark, and it goes to failure.

          I think it will pass if you run Travis CI on your own repository.

          Show
          githubbot ASF GitHub Bot added a comment - Github user tae-jun commented on the issue: https://github.com/apache/zeppelin/pull/1567 I guess it's same CI error with #1518. There is a log which is: ```bash gzip: stdin: unexpected end of file tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now +echo 'Unable to extract spark-1.3.1-bin-hadoop2.3.tgz' Unable to extract spark-1.3.1-bin-hadoop2.3.tgz ``` This is because of cache failure of Travis CI, and if it happens, it goes forever. Because caching is done only at the first time. Because of this, if you follow the log more, you can see: ```bash SPARK HOME detected null ``` Therefore, Zeppelin cannot find Spark, and it goes to failure. I think it will pass if you run Travis CI on your own repository.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/1567

          Yeaaaaaay!

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/1567 Yeaaaaaay!
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/zeppelin/pull/1567

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/zeppelin/pull/1567
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user bzz commented on the issue:

          https://github.com/apache/zeppelin/pull/1589

          👍 for docs in same PR.

          On CI, I think that's relativly minor and if that's too complicated to configure - we can can opt out for manual test run+instruction in docs.

          Double-checking that we have all Licenses for dependencies (and transitive dependencies) logged is important though.

          BTW, are you sure that all those commits belong to this branch?

          ```
          @anthonycorbacho ZEPPELIN-1586 Add security check in NotebookRestApi … 80c5360
          @astroshim ZEPPELIN-1585 Testcase for PySparkInterpreter. … 3f03aa3
          @cloverhearts [hotfix] does not showing notebooklist on navbar … 990cc86
          ```

          Show
          githubbot ASF GitHub Bot added a comment - Github user bzz commented on the issue: https://github.com/apache/zeppelin/pull/1589 👍 for docs in same PR. On CI, I think that's relativly minor and if that's too complicated to configure - we can can opt out for manual test run+instruction in docs. Double-checking that we have all Licenses for dependencies (and transitive dependencies) logged is important though. BTW, are you sure that all those commits belong to this branch? ``` @anthonycorbacho ZEPPELIN-1586 Add security check in NotebookRestApi … 80c5360 @astroshim ZEPPELIN-1585 Testcase for PySparkInterpreter. … 3f03aa3 @cloverhearts [hotfix] does not showing notebooklist on navbar … 990cc86 ```
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user AhyoungRyu opened a pull request:

          https://github.com/apache/zeppelin/pull/1825

          [DOCS]ZEPPELIN-1586 Add 'Security' section under notebook restapi docs

              1. What is this PR for?
                After #1567 merged we can get/set note permission information for a certain note. But this info is not described in anywhere. So I added "Security" section under [docs/rest-api/rest-notebook.md](https://github.com/apache/zeppelin/blob/master/docs/rest-api/rest-notebook.md).

          And currently so many operations are placed under one section like below.
          <img src="https://cloud.githubusercontent.com/assets/10060731/21560964/c55d41cc-cea9-11e6-96ac-68f762c68bff.png" width="400px">

          So I split them under each `Note opersions`, `Paragraph operations`, `Cron jobs`, and `Security`.
          <img src="https://cloud.githubusercontent.com/assets/10060731/21560971/cd57cf46-cea9-11e6-9a41-95c817594c9c.png" width="400px">

              1. What type of PR is it?
                Documentation
              1. What is the Jira issue?
                ZEPPELIN-1877(https://issues.apache.org/jira/browse/ZEPPELIN-1877)
              1. How should this be tested?
                Please see the below screenshots
              1. Screenshots (if appropriate)
                ![screen shot 2016-12-30 at 3 58 39 pm](https://cloud.githubusercontent.com/assets/10060731/21561001/1b83f2b2-ceaa-11e6-813d-6885c8dad3fc.png)
                ![screen shot 2016-12-30 at 3 58 46 pm](https://cloud.githubusercontent.com/assets/10060731/21561004/1d6695da-ceaa-11e6-8460-7a95377ede3b.png)
                ![screen shot 2016-12-30 at 3 58 50 pm](https://cloud.githubusercontent.com/assets/10060731/21561006/2001ee5c-ceaa-11e6-90a1-7619d1b29bee.png)
              1. Questions:
          • Does the licenses files need update? no
          • Is there breaking changes for older versions? no
          • Does this needs documentation? no

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/AhyoungRyu/zeppelin ZEPPELIN-1586/docs

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1825.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1825


          commit 09d22d30ff8f927a5754c9c6f0f74ffb28ef8a71
          Author: AhyoungRyu <fbdkdud93@hanmail.net>
          Date: 2016-12-30T06:59:20Z

          Add 'Security' section under notebook restapi docs


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user AhyoungRyu opened a pull request: https://github.com/apache/zeppelin/pull/1825 [DOCS] ZEPPELIN-1586 Add 'Security' section under notebook restapi docs What is this PR for? After #1567 merged we can get/set note permission information for a certain note. But this info is not described in anywhere. So I added "Security" section under [docs/rest-api/rest-notebook.md] ( https://github.com/apache/zeppelin/blob/master/docs/rest-api/rest-notebook.md ). And currently so many operations are placed under one section like below. <img src="https://cloud.githubusercontent.com/assets/10060731/21560964/c55d41cc-cea9-11e6-96ac-68f762c68bff.png" width="400px"> So I split them under each `Note opersions`, `Paragraph operations`, `Cron jobs`, and `Security`. <img src="https://cloud.githubusercontent.com/assets/10060731/21560971/cd57cf46-cea9-11e6-9a41-95c817594c9c.png" width="400px"> What type of PR is it? Documentation What is the Jira issue? ZEPPELIN-1877 ( https://issues.apache.org/jira/browse/ZEPPELIN-1877 ) How should this be tested? Please see the below screenshots Screenshots (if appropriate) ! [screen shot 2016-12-30 at 3 58 39 pm] ( https://cloud.githubusercontent.com/assets/10060731/21561001/1b83f2b2-ceaa-11e6-813d-6885c8dad3fc.png ) ! [screen shot 2016-12-30 at 3 58 46 pm] ( https://cloud.githubusercontent.com/assets/10060731/21561004/1d6695da-ceaa-11e6-8460-7a95377ede3b.png ) ! [screen shot 2016-12-30 at 3 58 50 pm] ( https://cloud.githubusercontent.com/assets/10060731/21561006/2001ee5c-ceaa-11e6-90a1-7619d1b29bee.png ) Questions: Does the licenses files need update? no Is there breaking changes for older versions? no Does this needs documentation? no You can merge this pull request into a Git repository by running: $ git pull https://github.com/AhyoungRyu/zeppelin ZEPPELIN-1586 /docs Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1825.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1825 commit 09d22d30ff8f927a5754c9c6f0f74ffb28ef8a71 Author: AhyoungRyu <fbdkdud93@hanmail.net> Date: 2016-12-30T06:59:20Z Add 'Security' section under notebook restapi docs
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user AhyoungRyu commented on the issue:

          https://github.com/apache/zeppelin/pull/1825

          @anthonycorbacho As a creator of this operations, could you please help review this PR?

          Show
          githubbot ASF GitHub Bot added a comment - Github user AhyoungRyu commented on the issue: https://github.com/apache/zeppelin/pull/1825 @anthonycorbacho As a creator of this operations, could you please help review this PR?
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user AhyoungRyu commented on the issue:

          https://github.com/apache/zeppelin/pull/1825

          I updated this docs page again since REST API operations need to be listed as CRUD order. And removed unimplemented response code info as well. Please see the updated screenshot images

          Show
          githubbot ASF GitHub Bot added a comment - Github user AhyoungRyu commented on the issue: https://github.com/apache/zeppelin/pull/1825 I updated this docs page again since REST API operations need to be listed as CRUD order. And removed unimplemented response code info as well. Please see the updated screenshot images
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user minahlee commented on the issue:

          https://github.com/apache/zeppelin/pull/1825

          Nice improvement, LGTM

          Show
          githubbot ASF GitHub Bot added a comment - Github user minahlee commented on the issue: https://github.com/apache/zeppelin/pull/1825 Nice improvement, LGTM
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user AhyoungRyu commented on the issue:

          https://github.com/apache/zeppelin/pull/1825

          Thanks @minahlee!
          Will merge if there are no more comments on this.

          Show
          githubbot ASF GitHub Bot added a comment - Github user AhyoungRyu commented on the issue: https://github.com/apache/zeppelin/pull/1825 Thanks @minahlee! Will merge if there are no more comments on this.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/zeppelin/pull/1825

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/zeppelin/pull/1825
          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user prabhjyotsingh opened a pull request:

          https://github.com/apache/zeppelin/pull/2049

          ZEPPELIN-1586 add new line char before "[urls]"

              1. What is this PR for?
                This is a minor bug fix in ZEPPELIN-1586; add new line char before "[urls]"
              1. What type of PR is it?
                [Minor Bug Fix]
              1. What is the Jira issue?
              1. How should this be tested?
                CI should be green.
              1. Screenshots (if appropriate)
              1. Questions:
          • Does the licenses files need update? N/A
          • Is there breaking changes for older versions? N/A
          • Does this needs documentation? N/A

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1586

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/2049.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #2049


          commit 7f502b108dee32ec58a72ad6de2fd909142fd82b
          Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>
          Date: 2017-02-21T07:47:53Z

          add new line char before "[urls]"


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user prabhjyotsingh opened a pull request: https://github.com/apache/zeppelin/pull/2049 ZEPPELIN-1586 add new line char before " [urls] " What is this PR for? This is a minor bug fix in ZEPPELIN-1586 ; add new line char before " [urls] " What type of PR is it? [Minor Bug Fix] What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? CI should be green. Screenshots (if appropriate) Questions: Does the licenses files need update? N/A Is there breaking changes for older versions? N/A Does this needs documentation? N/A You can merge this pull request into a Git repository by running: $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/2049.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2049 commit 7f502b108dee32ec58a72ad6de2fd909142fd82b Author: Prabhjyot Singh <prabhjyotsingh@gmail.com> Date: 2017-02-21T07:47:53Z add new line char before " [urls] "
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user prabhjyotsingh commented on the issue:

          https://github.com/apache/zeppelin/pull/2049

          @anthonycorbacho help review this. I think "[urls]" should be in new line.

          Show
          githubbot ASF GitHub Bot added a comment - Github user prabhjyotsingh commented on the issue: https://github.com/apache/zeppelin/pull/2049 @anthonycorbacho help review this. I think " [urls] " should be in new line.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user r-kamath commented on the issue:

          https://github.com/apache/zeppelin/pull/2049

          Good catch. LGTM.

          Show
          githubbot ASF GitHub Bot added a comment - Github user r-kamath commented on the issue: https://github.com/apache/zeppelin/pull/2049 Good catch. LGTM.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user Leemoonsoo commented on the issue:

          https://github.com/apache/zeppelin/pull/2049

          LGTM

          Show
          githubbot ASF GitHub Bot added a comment - Github user Leemoonsoo commented on the issue: https://github.com/apache/zeppelin/pull/2049 LGTM
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user prabhjyotsingh commented on the issue:

          https://github.com/apache/zeppelin/pull/2049

          Merging this if no more discussion.

          Show
          githubbot ASF GitHub Bot added a comment - Github user prabhjyotsingh commented on the issue: https://github.com/apache/zeppelin/pull/2049 Merging this if no more discussion.
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user anthonycorbacho commented on the issue:

          https://github.com/apache/zeppelin/pull/2049

          LGTM!

          Show
          githubbot ASF GitHub Bot added a comment - Github user anthonycorbacho commented on the issue: https://github.com/apache/zeppelin/pull/2049 LGTM!
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/zeppelin/pull/2049

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/zeppelin/pull/2049

            People

            • Assignee:
              anthonycorbacho Anthony Corbacho
              Reporter:
              anthonycorbacho Anthony Corbacho
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development