Description
Notebook rest api endpoint doesnt provide any security check of any kind, that meant that any body can use the rest api and do whatever they want.
Attachments
Issue Links
Activity
GitHub user anthonycorbacho reopened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
-
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
-
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
-
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [ ] - Add Authorization check in `NotebookRestapi`
-
- What is the Jira issue?
-
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)-
- How should this be tested?
-
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/
{noteId}
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
-
- Screenshots (if appropriate)
-
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
-
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T05:49:10Z
Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T07:22:13Z
Add new method to help to determinate if user is part of writer and/or owner for the given note
commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:56:04Z
Add new method to check if user and roles are member of the note (at least owner, reader, writer)
commit 43ec38932300db156a602507ae82a34a0b416257
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:57:06Z
Replace check of aninonimous by method
commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:32Z
Add webapp exception handler
commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:54Z
Handle security check
commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-29T05:58:04Z
Rename permission check note :: be more meaningful
commit a1cc1b81bd8f69f068803e6e87d110805905a039
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T03:33:20Z
Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
GitHub user anthonycorbacho reopened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
-
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
-
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
-
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
-
- What is the Jira issue?
-
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)-
- How should this be tested?
-
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/
{noteId}
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
-
- Screenshots (if appropriate)
-
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
-
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T05:49:10Z
Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T07:22:13Z
Add new method to help to determinate if user is part of writer and/or owner for the given note
commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:56:04Z
Add new method to check if user and roles are member of the note (at least owner, reader, writer)
commit 43ec38932300db156a602507ae82a34a0b416257
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:57:06Z
Replace check of aninonimous by method
commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:32Z
Add webapp exception handler
commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:54Z
Handle security check
commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-29T05:58:04Z
Rename permission check note :: be more meaningful
commit a1cc1b81bd8f69f068803e6e87d110805905a039
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T03:33:20Z
Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
GitHub user anthonycorbacho reopened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
-
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
-
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
-
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
-
- What is the Jira issue?
-
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)-
- How should this be tested?
-
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/
{noteId}
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
-
- Screenshots (if appropriate)
-
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
-
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T05:49:10Z
Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T07:22:13Z
Add new method to help to determinate if user is part of writer and/or owner for the given note
commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:56:04Z
Add new method to check if user and roles are member of the note (at least owner, reader, writer)
commit 43ec38932300db156a602507ae82a34a0b416257
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:57:06Z
Replace check of aninonimous by method
commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:32Z
Add webapp exception handler
commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:54Z
Handle security check
commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-29T05:58:04Z
Rename permission check note :: be more meaningful
commit a1cc1b81bd8f69f068803e6e87d110805905a039
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T03:33:20Z
Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
Github user minahlee commented on the issue:
https://github.com/apache/zeppelin/pull/1567
Thank you for quick response, I only went through the code and it looks good to me. It would be nice if you can add some tests. Meanwhile let me build this branch and test it out.
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@minahlee yeah, actually i am doing this right now, I also updated to todo tasks thanks for your review!
Github user minahlee commented on the issue:
https://github.com/apache/zeppelin/pull/1567
I tested some of rest apis and it works well. Next step would be applying same policies to websocket. For example `reader` cannot change bound interpreter to note via rest api after this PR, but it is possible to do it via websocket(or GUI).
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@minahlee you are right, I guess the next step will be to abstract this logic from rest api and apply to both rest and websocket.
Github user tae-jun commented on the issue:
https://github.com/apache/zeppelin/pull/1567
I also tested and was able to reproduce screenshot above.
When I was another user, it returned `403` status code with message:
```json
```
However, when I didn't log in (i.e. anonymous), the browser(Chrome) redirected me to `http://localhost:8080/api/login` and returned `405` status code without any message. Users can be confused when there is no error message. And I think `403` status code is more proper since it's `forbidden`, not `method not allowed`.
So in my opinion, it would be better:
- Send `403` status code with some messages when a user is not logged in. Maybe something like:
```json {"status":"FORBIDDEN","message":"Please log in"}```
This is a miracle feature, by the way 👍
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@tae-jun thanks for the feedback, let me take a look tomorrow
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@tae-jun After looking at the code base, I think this case should be handle in another PR, this is kinda out of the scope of this PR and its already becoming super big.
But your made a very valid point here and I guess it deserve a Jira ticket. i will try to find some time to handle this special case.
What do you think?
Github user tae-jun commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@anthonycorbacho Nice! I agree with you
I will open the issue on JIRA. But since I don't know much about the code structure, I may need some help 😃
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@zjffdu Hey dudy I keep failing at Livy interpreter, i dont know why but i keep getting timeout somehow, can you take a look t it please? It also look like other pr are failing at the same stage
GitHub user anthonycorbacho reopened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
-
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
-
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
-
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
- [x] - Add New test for security in notebook rest api
-
-
- What is the Jira issue?
-
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)-
- How should this be tested?
-
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/
{noteId}
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
-
- Screenshots (if appropriate)
-
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
-
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T05:49:10Z
Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T07:22:13Z
Add new method to help to determinate if user is part of writer and/or owner for the given note
commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:56:04Z
Add new method to check if user and roles are member of the note (at least owner, reader, writer)
commit 43ec38932300db156a602507ae82a34a0b416257
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:57:06Z
Replace check of aninonimous by method
commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:32Z
Add webapp exception handler
commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:54Z
Handle security check
commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-29T05:58:04Z
Rename permission check note :: be more meaningful
commit a1cc1b81bd8f69f068803e6e87d110805905a039
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T03:33:20Z
Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
commit 0cf19d2c41b288dc3a02cefc64de07c30b91e9ec
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T08:24:38Z
Fix typo and bad copy paste for isOwner
commit 2fd359cda8fe8aab72177c9c8c59b5bde3eb1c6c
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T08:30:17Z
Adress review and fix typos
commit 4768e3a73f3cec87c86ab8cabb05a7fe483aa922
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T14:48:14Z
Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user
commit 1055a837cb138d86618c895b71346d95f743496e
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T14:49:00Z
Simple implementation of notebook test with shiro (security)
commit 15c776d5889bd9c9d06d6246c3101aa1a2f4cb6d
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T14:49:26Z
Rewording
commit 216b5cdd32183d9907ce33f8a91713909e790404
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-02T03:24:43Z
Fix typo
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@tae-jun creating an issue doenst mean that you have to handle it, of course if you want you are welcome to do so, but remember we are a community so that mean we are here to help each others so if you create the PR i can spend some time and work with you on it
Github user tae-jun commented on the issue:
https://github.com/apache/zeppelin/pull/1567
@anthonycorbacho Thanks Don't worry! I do this because I want to do 😄
GitHub user anthonycorbacho reopened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
-
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
-
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
-
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
- [x] - Add New test for security in notebook rest api
-
-
- What is the Jira issue?
-
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)-
- How should this be tested?
-
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/
{noteId}
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
-
- Screenshots (if appropriate)
-
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
-
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
commit 4a43b07c05026698fe268b4b45913a3b0f007f74
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T05:49:10Z
Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit da3415f3b3c12d72e0466a736ccaa0a3231c79ed
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T07:22:13Z
Add new method to help to determinate if user is part of writer and/or owner for the given note
commit 0e4cc3c974cb52b8e6e039375c4748bc89665201
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:56:04Z
Add new method to check if user and roles are member of the note (at least owner, reader, writer)
commit 21f9288ef7225f56c6a9d92d26209b7440d64c6a
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:57:06Z
Replace check of aninonimous by method
commit fe380abf6fc839f316a0eeaae43b3a1e44d58df9
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:32Z
Add webapp exception handler
commit 6030776cd867f7575010ee7fa99e0b0782d308dd
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:54Z
Handle security check
commit ed404a4e331e28f76cc2a28ebc3498d3343da34e
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-29T05:58:04Z
Rename permission check note :: be more meaningful
commit c8c42b26a0b7403a02f90cce62336c2eb9498873
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T03:33:20Z
Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
commit eacfa8eee2fde6d9fb1f3f8fc52b7b7967b6c665
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T08:24:38Z
Fix typo and bad copy paste for isOwner
commit db0c39c4a14d7a97b5d7caec3d332056d0773920
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T08:30:17Z
Adress review and fix typos
commit b412266b4dd73fd005a403b77acdec0599e55b3a
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T14:48:14Z
Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user
commit decd1e9c6c32f761a806e2367eeaa94121931631
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T14:49:00Z
Simple implementation of notebook test with shiro (security)
commit bab7e600780e19533b59c56e7c4b7e32e8841efc
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-01T14:49:26Z
Rewording
commit 49d4db9eff1fe908d9256ded67f21d53fa48e4d8
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-02T03:24:43Z
Fix typo
GitHub user anthonycorbacho reopened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
-
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
-
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
-
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
- [x] - Add New test for security in notebook rest api
-
-
- What is the Jira issue?
-
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)-
- How should this be tested?
-
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/
{noteId}
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
-
- Screenshots (if appropriate)
-
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
-
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
Github user minahlee commented on the issue:
https://github.com/apache/zeppelin/pull/1567
Same Spark 1.3.1 test profile failure exists on master which looks like below:
```
Results :
Tests in error:
InterpreterRestApiTest.init:57->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
CredentialsRestApiTest.init:46->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
ZeppelinRestApiTest.init:59->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
NotebookRestApiTest.init:58->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
SecurityRestApiTest.init:44->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
NotebookRepoRestApiTest.init:52->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
ConfigurationsRestApiTest.init:39->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
ZeppelinSparkClusterTest.init:52->AbstractTestRestApi.startUp:233->AbstractTestRestApi.start:201 » NullPointer
NotebookSecurityRestApiTest.init:49->AbstractTestRestApi.startUpWithAuthenticationEnable:229->AbstractTestRestApi.start:201 » NullPointer
Tests run: 9, Failures: 0, Errors: 9, Skipped: 0
```
So I am going to merge this if there is no more discussion.
Github user tae-jun commented on the issue:
https://github.com/apache/zeppelin/pull/1567
I guess it's same CI error with #1518.
There is a log which is:
```bash
gzip: stdin: unexpected end of file
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
+echo 'Unable to extract spark-1.3.1-bin-hadoop2.3.tgz'
Unable to extract spark-1.3.1-bin-hadoop2.3.tgz
```
This is because of cache failure of Travis CI, and if it happens, it goes forever. Because caching is done only at the first time.
Because of this, if you follow the log more, you can see:
```bash
SPARK HOME detected null
```
Therefore, Zeppelin cannot find Spark, and it goes to failure.
I think it will pass if you run Travis CI on your own repository.
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/1567
Yeaaaaaay!
Github user bzz commented on the issue:
https://github.com/apache/zeppelin/pull/1589
👍 for docs in same PR.
On CI, I think that's relativly minor and if that's too complicated to configure - we can can opt out for manual test run+instruction in docs.
Double-checking that we have all Licenses for dependencies (and transitive dependencies) logged is important though.
BTW, are you sure that all those commits belong to this branch?
```
@anthonycorbacho ZEPPELIN-1586 Add security check in NotebookRestApi … 80c5360
@astroshim ZEPPELIN-1585 Testcase for PySparkInterpreter. … 3f03aa3
@cloverhearts [hotfix] does not showing notebooklist on navbar … 990cc86
```
GitHub user AhyoungRyu opened a pull request:
https://github.com/apache/zeppelin/pull/1825
[DOCS]ZEPPELIN-1586 Add 'Security' section under notebook restapi docs
-
-
- What is this PR for?
After #1567 merged we can get/set note permission information for a certain note. But this info is not described in anywhere. So I added "Security" section under [docs/rest-api/rest-notebook.md](https://github.com/apache/zeppelin/blob/master/docs/rest-api/rest-notebook.md).
- What is this PR for?
-
And currently so many operations are placed under one section like below.
<img src="https://cloud.githubusercontent.com/assets/10060731/21560964/c55d41cc-cea9-11e6-96ac-68f762c68bff.png" width="400px">
So I split them under each `Note opersions`, `Paragraph operations`, `Cron jobs`, and `Security`.
<img src="https://cloud.githubusercontent.com/assets/10060731/21560971/cd57cf46-cea9-11e6-9a41-95c817594c9c.png" width="400px">
-
-
- What type of PR is it?
Documentation
- What type of PR is it?
-
-
-
- What is the Jira issue?
ZEPPELIN-1877(https://issues.apache.org/jira/browse/ZEPPELIN-1877)
- What is the Jira issue?
-
-
-
- How should this be tested?
Please see the below screenshots
- How should this be tested?
-
-
-
- Screenshots (if appropriate)
![screen shot 2016-12-30 at 3 58 39 pm](https://cloud.githubusercontent.com/assets/10060731/21561001/1b83f2b2-ceaa-11e6-813d-6885c8dad3fc.png)
![screen shot 2016-12-30 at 3 58 46 pm](https://cloud.githubusercontent.com/assets/10060731/21561004/1d6695da-ceaa-11e6-8460-7a95377ede3b.png)
![screen shot 2016-12-30 at 3 58 50 pm](https://cloud.githubusercontent.com/assets/10060731/21561006/2001ee5c-ceaa-11e6-90a1-7619d1b29bee.png)
- Screenshots (if appropriate)
-
-
-
- Questions:
-
- Does the licenses files need update? no
- Is there breaking changes for older versions? no
- Does this needs documentation? no
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/AhyoungRyu/zeppelin ZEPPELIN-1586/docs
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1825.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1825
commit 09d22d30ff8f927a5754c9c6f0f74ffb28ef8a71
Author: AhyoungRyu <fbdkdud93@hanmail.net>
Date: 2016-12-30T06:59:20Z
Add 'Security' section under notebook restapi docs
Github user AhyoungRyu commented on the issue:
https://github.com/apache/zeppelin/pull/1825
@anthonycorbacho As a creator of this operations, could you please help review this PR?
Github user AhyoungRyu commented on the issue:
https://github.com/apache/zeppelin/pull/1825
I updated this docs page again since REST API operations need to be listed as CRUD order. And removed unimplemented response code info as well. Please see the updated screenshot images
Github user minahlee commented on the issue:
https://github.com/apache/zeppelin/pull/1825
Nice improvement, LGTM
Github user AhyoungRyu commented on the issue:
https://github.com/apache/zeppelin/pull/1825
Thanks @minahlee!
Will merge if there are no more comments on this.
GitHub user prabhjyotsingh opened a pull request:
https://github.com/apache/zeppelin/pull/2049
ZEPPELIN-1586 add new line char before "[urls]"
-
-
- What is this PR for?
This is a minor bug fix inZEPPELIN-1586; add new line char before "[urls]"
- What is this PR for?
-
-
-
- What type of PR is it?
[Minor Bug Fix]
- What type of PR is it?
-
-
-
- What is the Jira issue?
-
-
-
- How should this be tested?
CI should be green.
- How should this be tested?
-
-
-
- Screenshots (if appropriate)
-
-
-
- Questions:
-
- Does the licenses files need update? N/A
- Is there breaking changes for older versions? N/A
- Does this needs documentation? N/A
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1586
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/2049.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #2049
commit 7f502b108dee32ec58a72ad6de2fd909142fd82b
Author: Prabhjyot Singh <prabhjyotsingh@gmail.com>
Date: 2017-02-21T07:47:53Z
add new line char before "[urls]"
Github user prabhjyotsingh commented on the issue:
https://github.com/apache/zeppelin/pull/2049
@anthonycorbacho help review this. I think "[urls]" should be in new line.
Github user r-kamath commented on the issue:
https://github.com/apache/zeppelin/pull/2049
Good catch. LGTM.
Github user prabhjyotsingh commented on the issue:
https://github.com/apache/zeppelin/pull/2049
Merging this if no more discussion.
Github user anthonycorbacho commented on the issue:
https://github.com/apache/zeppelin/pull/2049
LGTM!
GitHub user anthonycorbacho opened a pull request:
https://github.com/apache/zeppelin/pull/1567
ZEPPELIN-1586Add security check in NotebookRestApiBring some security check in `NotebookRestApi`.
[Bug Fix | Improvement | Refactoring]
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)First, force Zeppelin to use auth.
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
```
#/** = anon
/** = authc
```
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/
ZEPPELIN-1586Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1567.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1567
commit a69a4e10c46452dcaaf8174c37e51705d6bc3214
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T05:49:10Z
Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit 859fba52799bc1690b0726dc6dc672f9c4b016a7
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T07:22:13Z
Add new method to help to determinate if user is part of writer and/or owner for the given note
commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:56:04Z
Add new method to check if user and roles are member of the note (at least owner, reader, writer)
commit 43ec38932300db156a602507ae82a34a0b416257
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T09:57:06Z
Replace check of aninonimous by method
commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:32Z
Add webapp exception handler
commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-28T11:19:54Z
Handle security check
commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-10-29T05:58:04Z
Rename permission check note :: be more meaningful