Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-1611

Support PAM (System User) Authentication

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.6.2
    • Fix Version/s: 0.7.0
    • Component/s: zeppelin-server
    • Labels:
      None

      Description

      Adding PAM authentication will significantly decrease the configuration effort and make system OS level users available for login. Those system level users could be further mapped to an AD or LDAP by pam_ldap, sssd or similar.

        Issue Links

          Activity

          Hide
          githubbot ASF GitHub Bot added a comment -

          GitHub user hkropp opened a pull request:

          https://github.com/apache/zeppelin/pull/1589

          [Zeppelin-1611] - Support PAM (System User) Authentication

              1. What is this PR for?
                This PR adds [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance.
              1. What type of PR is it?
                Feature
              1. Todos
          • [x] - Create PAM realm
          • [x] - Create test for PAM authentication
          • [x] - Test with running Zeppelin instance
              1. What is the Jira issue?
                ZEPPELIN-1611(https://issues.apache.org/jira/browse/ZEPPELIN-1611])
              1. How should this be tested?
                `PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password.
                The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE.
              1. Screenshots (if appropriate)
              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Yes

          You can merge this pull request into a Git repository by running:

          $ git pull https://github.com/hkropp/incubator-zeppelin ZEPPELIN-1611

          Alternatively you can review and apply these changes as the patch at:

          https://github.com/apache/zeppelin/pull/1589.patch

          To close this pull request, make a commit to your master/trunk branch
          with (at least) the following in the commit message:

          This closes #1589


          commit 257f14e333c28c1b4b8f37e47ba9963221287c5c
          Author: hkropp <hkropp@hortonworks.com>
          Date: 2016-11-03T09:35:36Z

          ZEPPELIN-1611

          commit b673c76be855d7a13f7b34fda0032c2f8040694c
          Author: hkropp <hkropp@hortonworks.com>
          Date: 2016-11-03T09:35:45Z

          Merge branch 'master' of github.com:apache/incubator-zeppelin into ZEPPELIN-1611

          commit efa79afa47147d6e1caa0767d4929e3c752c64e3
          Author: hkropp <hkropp@hortonworks.com>
          Date: 2016-11-03T09:35:36Z

          ZEPPELIN-1611

          commit 00cc0320840a08a76925dbfbf0494f0623c0e558
          Author: Anthony Corbacho <corbacho.anthony@gmail.com>
          Date: 2016-11-03T02:59:07Z

          ZEPPELIN-1586 Add security check in NotebookRestApi

              1. What is this PR for?

          Bring some security check in `NotebookRestApi`.

              1. What type of PR is it?

          [Bug Fix | Improvement | Refactoring]

              1. Todos
          • [x] - Create a proper way to throw webapp error
          • [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
          • [x] - Add Authorization check in `NotebookRestapi`
          • [x] - Add New test for security in notebook rest api
              1. What is the Jira issue?

          First, force Zeppelin to use auth.

          • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

          ```
          <property>
          <name>zeppelin.anonymous.allowed</name>
          <value>false</value>
          <description>Anonymous user allowed by default</description>
          </property>
          ```

          • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

          ```
          #/** = anon
          /** = authc
          ```

          • Start Zeppelin, login and set some permission to a note
          • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

            ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

              1. Screenshots (if appropriate)

          ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

              1. Questions:
          • Does the licenses files need update? No
          • Is there breaking changes for older versions? No
          • Does this needs documentation? Maybe

          Author: Anthony Corbacho <corbacho.anthony@gmail.com>

          Closes #1567 from anthonycorbacho/fix/ZEPPELIN-1586 and squashes the following commits:

          6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server
          30815c1 [Anthony Corbacho] Fix typo
          bab7e60 [Anthony Corbacho] Rewording
          decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security)
          b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user
          db0c39c [Anthony Corbacho] Adress review and fix typos
          eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner
          c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
          ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful
          6030776 [Anthony Corbacho] Handle security check
          fe380ab [Anthony Corbacho] Add webapp exception handler
          21f9288 [Anthony Corbacho] Replace check of aninonimous by method
          0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer)
          da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note
          4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

          commit bbf17da9e5ac272227083fcdafadb13842898cac
          Author: hkropp <hkropp@hortonworks.com>
          Date: 2016-11-03T09:42:04Z

          Merge branch 'ZEPPELIN-1611' of github.com:hkropp/incubator-zeppelin into ZEPPELIN-1611


          Show
          githubbot ASF GitHub Bot added a comment - GitHub user hkropp opened a pull request: https://github.com/apache/zeppelin/pull/1589 [Zeppelin-1611] - Support PAM (System User) Authentication What is this PR for? This PR adds [PAM] ( https://en.wikipedia.org/wiki/Pluggable_authentication_module ) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance. What type of PR is it? Feature Todos [x] - Create PAM realm [x] - Create test for PAM authentication [x] - Test with running Zeppelin instance What is the Jira issue? ZEPPELIN-1611 ( https://issues.apache.org/jira/browse/ZEPPELIN-1611 ]) How should this be tested? `PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password. The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE. Screenshots (if appropriate) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Yes You can merge this pull request into a Git repository by running: $ git pull https://github.com/hkropp/incubator-zeppelin ZEPPELIN-1611 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1589.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1589 commit 257f14e333c28c1b4b8f37e47ba9963221287c5c Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:35:36Z ZEPPELIN-1611 commit b673c76be855d7a13f7b34fda0032c2f8040694c Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:35:45Z Merge branch 'master' of github.com:apache/incubator-zeppelin into ZEPPELIN-1611 commit efa79afa47147d6e1caa0767d4929e3c752c64e3 Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:35:36Z ZEPPELIN-1611 commit 00cc0320840a08a76925dbfbf0494f0623c0e558 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-03T02:59:07Z ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` [x] - Add New test for security in notebook rest api What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe Author: Anthony Corbacho <corbacho.anthony@gmail.com> Closes #1567 from anthonycorbacho/fix/ ZEPPELIN-1586 and squashes the following commits: 6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server 30815c1 [Anthony Corbacho] Fix typo bab7e60 [Anthony Corbacho] Rewording decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security) b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user db0c39c [Anthony Corbacho] Adress review and fix typos eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful 6030776 [Anthony Corbacho] Handle security check fe380ab [Anthony Corbacho] Add webapp exception handler 21f9288 [Anthony Corbacho] Replace check of aninonimous by method 0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer) da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note 4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit bbf17da9e5ac272227083fcdafadb13842898cac Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:42:04Z Merge branch ' ZEPPELIN-1611 ' of github.com:hkropp/incubator-zeppelin into ZEPPELIN-1611
          Hide
          githubbot ASF GitHub Bot added a comment -

          Github user asfgit closed the pull request at:

          https://github.com/apache/zeppelin/pull/1589

          Show
          githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/zeppelin/pull/1589

            People

            • Assignee:
              hkropp Henning Kropp
              Reporter:
              hkropp Henning Kropp
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development