GitHub user hkropp opened a pull request:
https://github.com/apache/zeppelin/pull/1589
[Zeppelin-1611] - Support PAM (System User) Authentication
-
-
- What is this PR for?
This PR adds [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance.
-
-
- What type of PR is it?
Feature
-
-
- Todos
- [x] - Create PAM realm
- [x] - Create test for PAM authentication
- [x] - Test with running Zeppelin instance
-
-
- What is the Jira issue?
ZEPPELIN-1611(https://issues.apache.org/jira/browse/ZEPPELIN-1611])
-
-
- How should this be tested?
`PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password.
The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE.
-
-
- Screenshots (if appropriate)
-
-
- Questions:
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Yes
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/hkropp/incubator-zeppelin ZEPPELIN-1611
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1589.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1589
commit 257f14e333c28c1b4b8f37e47ba9963221287c5c
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:35:36Z
ZEPPELIN-1611
commit b673c76be855d7a13f7b34fda0032c2f8040694c
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:35:45Z
Merge branch 'master' of github.com:apache/incubator-zeppelin into ZEPPELIN-1611
commit efa79afa47147d6e1caa0767d4929e3c752c64e3
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:35:36Z
ZEPPELIN-1611
commit 00cc0320840a08a76925dbfbf0494f0623c0e558
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-03T02:59:07Z
ZEPPELIN-1586 Add security check in NotebookRestApi
-
-
- What is this PR for?
Bring some security check in `NotebookRestApi`.
-
-
- What type of PR is it?
[Bug Fix | Improvement | Refactoring]
-
-
- Todos
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
- [x] - Add New test for security in notebook rest api
-
-
- What is the Jira issue?
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
-
-
- Questions:
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Closes #1567 from anthonycorbacho/fix/ZEPPELIN-1586 and squashes the following commits:
6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server
30815c1 [Anthony Corbacho] Fix typo
bab7e60 [Anthony Corbacho] Rewording
decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security)
b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user
db0c39c [Anthony Corbacho] Adress review and fix typos
eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner
c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful
6030776 [Anthony Corbacho] Handle security check
fe380ab [Anthony Corbacho] Add webapp exception handler
21f9288 [Anthony Corbacho] Replace check of aninonimous by method
0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer)
da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note
4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit bbf17da9e5ac272227083fcdafadb13842898cac
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:42:04Z
Merge branch 'ZEPPELIN-1611' of github.com:hkropp/incubator-zeppelin into ZEPPELIN-1611
GitHub user hkropp opened a pull request:
https://github.com/apache/zeppelin/pull/1589
[Zeppelin-1611] - Support PAM (System User) Authentication
This PR adds [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance.
Feature
ZEPPELIN-1611(https://issues.apache.org/jira/browse/ZEPPELIN-1611])`PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password.
The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/hkropp/incubator-zeppelin
ZEPPELIN-1611Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1589.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1589
commit 257f14e333c28c1b4b8f37e47ba9963221287c5c
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:35:36Z
ZEPPELIN-1611commit b673c76be855d7a13f7b34fda0032c2f8040694c
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:35:45Z
Merge branch 'master' of github.com:apache/incubator-zeppelin into
ZEPPELIN-1611commit efa79afa47147d6e1caa0767d4929e3c752c64e3
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:35:36Z
ZEPPELIN-1611commit 00cc0320840a08a76925dbfbf0494f0623c0e558
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Date: 2016-11-03T02:59:07Z
ZEPPELIN-1586Add security check in NotebookRestApiBring some security check in `NotebookRestApi`.
[Bug Fix | Improvement | Refactoring]
ZEPPELIN-1586(https://issues.apache.org/jira/browse/ZEPPELIN-1586)First, force Zeppelin to use auth.
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
```
#/** = anon
/** = authc
```
` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
Author: Anthony Corbacho <corbacho.anthony@gmail.com>
Closes #1567 from anthonycorbacho/fix/
ZEPPELIN-1586and squashes the following commits:6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server
30815c1 [Anthony Corbacho] Fix typo
bab7e60 [Anthony Corbacho] Rewording
decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security)
b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user
db0c39c [Anthony Corbacho] Adress review and fix typos
eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner
c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful
6030776 [Anthony Corbacho] Handle security check
fe380ab [Anthony Corbacho] Add webapp exception handler
21f9288 [Anthony Corbacho] Replace check of aninonimous by method
0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer)
da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note
4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
commit bbf17da9e5ac272227083fcdafadb13842898cac
Author: hkropp <hkropp@hortonworks.com>
Date: 2016-11-03T09:42:04Z
Merge branch '
ZEPPELIN-1611' of github.com:hkropp/incubator-zeppelin intoZEPPELIN-1611