Details
-
New Feature
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
None
-
None
-
None
Description
The goal is to restrict WEB access to users being previoulsy authenticated by a Kerberos server (so having a valid Kerberos Ticket).
I will submit a PR which implements a filter (from hadoop-auth jar) in case a new configuration key zeppelin.security.authentication is set to kerberos.
I will also add session management to maintain the set of authenticated users. This is needed to ensure the websocket is also secured.
This is related to:
ZEPPELIN-173(Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking)ZEPPELIN-113(Provide HTTP Keep Alive for Web and Web Sockets)
I will try to rely on ZEPPELIN-172 (Websocket connection without separate port) as it may be easier to secure a single webapp managed by jetty.
Attachments
Issue Links
- relates to
-
ZEPPELIN-3792 Support Kerberos Realm
- Closed