Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-1611

Support PAM (System User) Authentication

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.6.2
    • 0.7.0
    • zeppelin-server
    • None

    Description

      Adding PAM authentication will significantly decrease the configuration effort and make system OS level users available for login. Those system level users could be further mapped to an AD or LDAP by pam_ldap, sssd or similar.

      Attachments

        Issue Links

          Activity

            githubbot ASF GitHub Bot added a comment -

            GitHub user hkropp opened a pull request:

            https://github.com/apache/zeppelin/pull/1589

            [Zeppelin-1611] - Support PAM (System User) Authentication

                1. What is this PR for?
                  This PR adds [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance.
                1. What type of PR is it?
                  Feature
                1. Todos
            • [x] - Create PAM realm
            • [x] - Create test for PAM authentication
            • [x] - Test with running Zeppelin instance
                1. What is the Jira issue?
                  ZEPPELIN-1611(https://issues.apache.org/jira/browse/ZEPPELIN-1611])
                1. How should this be tested?
                  `PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password.
                  The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE.
                1. Screenshots (if appropriate)
                1. Questions:
            • Does the licenses files need update? No
            • Is there breaking changes for older versions? No
            • Does this needs documentation? Yes

            You can merge this pull request into a Git repository by running:

            $ git pull https://github.com/hkropp/incubator-zeppelin ZEPPELIN-1611

            Alternatively you can review and apply these changes as the patch at:

            https://github.com/apache/zeppelin/pull/1589.patch

            To close this pull request, make a commit to your master/trunk branch
            with (at least) the following in the commit message:

            This closes #1589


            commit 257f14e333c28c1b4b8f37e47ba9963221287c5c
            Author: hkropp <hkropp@hortonworks.com>
            Date: 2016-11-03T09:35:36Z

            ZEPPELIN-1611

            commit b673c76be855d7a13f7b34fda0032c2f8040694c
            Author: hkropp <hkropp@hortonworks.com>
            Date: 2016-11-03T09:35:45Z

            Merge branch 'master' of github.com:apache/incubator-zeppelin into ZEPPELIN-1611

            commit efa79afa47147d6e1caa0767d4929e3c752c64e3
            Author: hkropp <hkropp@hortonworks.com>
            Date: 2016-11-03T09:35:36Z

            ZEPPELIN-1611

            commit 00cc0320840a08a76925dbfbf0494f0623c0e558
            Author: Anthony Corbacho <corbacho.anthony@gmail.com>
            Date: 2016-11-03T02:59:07Z

            ZEPPELIN-1586 Add security check in NotebookRestApi

                1. What is this PR for?

            Bring some security check in `NotebookRestApi`.

                1. What type of PR is it?

            [Bug Fix | Improvement | Refactoring]

                1. Todos
            • [x] - Create a proper way to throw webapp error
            • [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer
            • [x] - Add Authorization check in `NotebookRestapi`
            • [x] - Add New test for security in notebook rest api
                1. What is the Jira issue?

            First, force Zeppelin to use auth.

            • In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to *false*

            ```
            <property>
            <name>zeppelin.anonymous.allowed</name>
            <value>false</value>
            <description>Anonymous user allowed by default</description>
            </property>
            ```

            • In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file

            ```
            #/** = anon
            /** = authc
            ```

            • Start Zeppelin, login and set some permission to a note
            • try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/ {noteId}

              ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie))

                1. Screenshots (if appropriate)

            ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)

                1. Questions:
            • Does the licenses files need update? No
            • Is there breaking changes for older versions? No
            • Does this needs documentation? Maybe

            Author: Anthony Corbacho <corbacho.anthony@gmail.com>

            Closes #1567 from anthonycorbacho/fix/ZEPPELIN-1586 and squashes the following commits:

            6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server
            30815c1 [Anthony Corbacho] Fix typo
            bab7e60 [Anthony Corbacho] Rewording
            decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security)
            b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user
            db0c39c [Anthony Corbacho] Adress review and fix typos
            eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner
            c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException
            ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful
            6030776 [Anthony Corbacho] Handle security check
            fe380ab [Anthony Corbacho] Add webapp exception handler
            21f9288 [Anthony Corbacho] Replace check of aninonimous by method
            0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer)
            da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note
            4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not

            commit bbf17da9e5ac272227083fcdafadb13842898cac
            Author: hkropp <hkropp@hortonworks.com>
            Date: 2016-11-03T09:42:04Z

            Merge branch 'ZEPPELIN-1611' of github.com:hkropp/incubator-zeppelin into ZEPPELIN-1611


            githubbot ASF GitHub Bot added a comment - GitHub user hkropp opened a pull request: https://github.com/apache/zeppelin/pull/1589 [Zeppelin-1611] - Support PAM (System User) Authentication What is this PR for? This PR adds [PAM] ( https://en.wikipedia.org/wiki/Pluggable_authentication_module ) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance. What type of PR is it? Feature Todos [x] - Create PAM realm [x] - Create test for PAM authentication [x] - Test with running Zeppelin instance What is the Jira issue? ZEPPELIN-1611 ( https://issues.apache.org/jira/browse/ZEPPELIN-1611 ]) How should this be tested? `PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password. The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE. Screenshots (if appropriate) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Yes You can merge this pull request into a Git repository by running: $ git pull https://github.com/hkropp/incubator-zeppelin ZEPPELIN-1611 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1589.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1589 commit 257f14e333c28c1b4b8f37e47ba9963221287c5c Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:35:36Z ZEPPELIN-1611 commit b673c76be855d7a13f7b34fda0032c2f8040694c Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:35:45Z Merge branch 'master' of github.com:apache/incubator-zeppelin into ZEPPELIN-1611 commit efa79afa47147d6e1caa0767d4929e3c752c64e3 Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:35:36Z ZEPPELIN-1611 commit 00cc0320840a08a76925dbfbf0494f0623c0e558 Author: Anthony Corbacho <corbacho.anthony@gmail.com> Date: 2016-11-03T02:59:07Z ZEPPELIN-1586 Add security check in NotebookRestApi What is this PR for? Bring some security check in `NotebookRestApi`. What type of PR is it? [Bug Fix | Improvement | Refactoring] Todos [x] - Create a proper way to throw webapp error [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer [x] - Add Authorization check in `NotebookRestapi` [x] - Add New test for security in notebook rest api What is the Jira issue? ZEPPELIN-1586 ( https://issues.apache.org/jira/browse/ZEPPELIN-1586 ) How should this be tested? First, force Zeppelin to use auth. In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to * false * ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` Start Zeppelin, login and set some permission to a note try to get a note from Zeppelin Rest Api ` http://localhost:8080/api/notebook/ {noteId} ` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) Screenshots (if appropriate) ! [note_permission_rest_api] ( https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif ) Questions: Does the licenses files need update? No Is there breaking changes for older versions? No Does this needs documentation? Maybe Author: Anthony Corbacho <corbacho.anthony@gmail.com> Closes #1567 from anthonycorbacho/fix/ ZEPPELIN-1586 and squashes the following commits: 6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server 30815c1 [Anthony Corbacho] Fix typo bab7e60 [Anthony Corbacho] Rewording decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security) b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user db0c39c [Anthony Corbacho] Adress review and fix typos eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful 6030776 [Anthony Corbacho] Handle security check fe380ab [Anthony Corbacho] Add webapp exception handler 21f9288 [Anthony Corbacho] Replace check of aninonimous by method 0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer) da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note 4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit bbf17da9e5ac272227083fcdafadb13842898cac Author: hkropp <hkropp@hortonworks.com> Date: 2016-11-03T09:42:04Z Merge branch ' ZEPPELIN-1611 ' of github.com:hkropp/incubator-zeppelin into ZEPPELIN-1611
            githubbot ASF GitHub Bot added a comment -

            Github user asfgit closed the pull request at:

            https://github.com/apache/zeppelin/pull/1589

            githubbot ASF GitHub Bot added a comment - Github user asfgit closed the pull request at: https://github.com/apache/zeppelin/pull/1589

            People

              hkropp Henning Kropp
              hkropp Henning Kropp
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: