"Link to this paragraph" is a very powerful feature, it may allow embedding analytics graphs to other pages for example dashboards.
I secured zeppelin with basic auth by putting zeppelin behind nginx proxy. Now I want to have iframes publicly accessible and here goes why I can't have it.
The problem is zeppelin's iframe is designed in a way that prevents security.
1. It shares the URL of zeppelin web home (root /), so url-based security is not possible
2. Even worse, it uses web socket transport to get data for paragraph. This means whenever you have access to one iframe you can control the whole zeppelin instance.
What I propose in this feature is to have:
1. separate endpoint for iframe html page, for example /paragraph-export/UUID
2. separate HTTP endpoint for getting data results for a paragraph, for example /paragraph-export/UUID/data.json
// Step #2 may be embedded to #1 so that Iframe HTML already contains data for exported paragraph.
So basically when you click "export this paragraph as Iframe" you have a piece of html that can be embedded to any public website without security hole present.
It also allows saving page locally, caching it, putting it to CDN (so zeppelin is not overloaded).