Fixed issues with security documentation reported by @AhyoungRyu

2026-05-24 09:38:26 +00:00 · 2016-02-15 14:56:18 -08:00 · 2016-02-15 14:56:18 -08:00 · 28ea69763c
commit 28ea69763c
parent 1ac076e1a8
6 changed files with 16 additions and 48 deletions
--- a/conf/shiro.ini
+++ b/conf/shiro.ini
@ -19,8 +19,9 @@
 # List of users with their password allowed to access Zeppelin.
 # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
 admin = password1
-user1 = password2
-user2 = password3
+user1 = password2, role1, role2
+user2 = password3, role3
+user3 = password4, role2

 # Sample LDAP configuration, for user Authentication, currently tested for single Realm
 [main]
@ -33,6 +34,6 @@ user2 = password3
 # anon means the access is anonymous.
 # authcBasic means Basic Auth Security
 # To enfore security, comment the line below and uncomment the next one
-/** = anon
-#/** = authcBasic
+#/** = anon
+/** = authcBasic

--- a/docs/_includes/themes/zeppelin/_navigation.html
+++ b/docs/_includes/themes/zeppelin/_navigation.html
@ -55,15 +55,6 @@
                <li><a href="{{BASE_PATH}}/pleasecontribute.html">Tajo</a></li>
              </ul>
            </li>
-            <li>
-              <a href="#" data-toggle="dropdown" class="dropdown-toggle">Security<b class="caret"></b></a>
-              <ul class="dropdown-menu">
-                <li><a href="{{BASE_PATH}}/security/overview.html">Overview</a></li>
-                <li><a href="{{BASE_PATH}}/security/authentication.html#html">Authentication</a></li>
-                <li><a href="{{BASE_PATH}}/security/notebook_authorization.html">Notebook Authorization</a></li>
-                <li><a href="{{BASE_PATH}}/security/interpreter_authorization.html">Interpreter Authorization</a></li>
-              </ul>
-            </li>
            <li>
              <a href="#" data-toggle="dropdown" class="dropdown-toggle">Display System <b class="caret"></b></a>
              <ul class="dropdown-menu">
@ -88,6 +79,12 @@
                <li><a href="{{BASE_PATH}}/rest-api/rest-notebook.html">Notebook API</a></li>
                <li><a href="{{BASE_PATH}}/rest-api/rest-configuration.html">Configuration API</a></li>
                <li role="separator" class="divider"></li>
+                <!-- li><span><b>Security</b><span></li -->
+                <li><a href="{{BASE_PATH}}/security/overview.html">Security Overview</a></li>
+                <li><a href="{{BASE_PATH}}/security/authentication.html">Authentication</a></li>
+                <li><a href="{{BASE_PATH}}/security/notebook_authorization.html">Notebook Authorization</a></li>
+                <li><a href="{{BASE_PATH}}/security/interpreter_authorization.html">Interpreter Authorization</a></li>
+                <li role="separator" class="divider"></li>
                <!-- li><span><b>Development</b><span></li -->
                <li><a href="{{BASE_PATH}}/development/writingzeppelininterpreter.html">Writing Zeppelin Interpreter</a></li>
                <li><a href="{{BASE_PATH}}/development/howtocontribute.html">How to contribute (code)</a></li>
--- a/docs/security/authentication.md
+++ b/docs/security/authentication.md
@ -17,7 +17,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->
-# Zeppelin Authentication
+# Authentication

 Authentication is company-specific. 

--- a/docs/security/interpreter_authorization.md
+++ b/docs/security/interpreter_authorization.md
@ -17,7 +17,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->
-# Zeppelin Interpreter and Data Source Authorization
+# Interpreter and Data Source Authorization

 ## Interpreter Authorization

--- a/docs/security/notebook_authorization.md
+++ b/docs/security/notebook_authorization.md
@ -17,27 +17,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->
-# Zeppelin Notebook Authorization
-
-## Overview
-There are different aspects to Zeppelin security:
-
-* Authentication: is the user who they say they are?
-* Notebook authorization: does the user have permissions to read or write to a note?
-* Interpreter authorization: does the user have permissions to perform interpreter operations e.g. access data source objects?
-
-
-## Authentication
-
-Authentication is company-specific. One option is to have an authentication server that can verify user credentials in an LDAP server.
-If an incoming request to the Zeppelin server does not have a cookie with user information encrypted with the authentication server public key, the user
-is redirected to the authentication server. Once the user is verified, the authentication server redirects the browser to a specific 
-URL in the Zeppelin server which sets the authentication cookie in the browser. 
-The end result is that all requests to the Zeppelin
-web server have the authentication cookie which contains user and groups information.
-
-
-## Notebook Authorization
+# Notebook Authorization

 We assume that there is an authentication component that associates a user string and a set of group strings with every NotebookSocket.

@ -55,12 +35,3 @@ operation, it checks if the user and the groups have at least one entity that be
 To initialize and modify note permissions, we provide UI like "Interpreter binding". The user inputs comma separated entities for owners, readers and writers.
 We execute a rest api call with this information. In the backend we get the user information for the connection and allow the operation if the user and groups 
 associated with the current user have at least one entity that belongs to owner entities for the note.
-
-## Interpreter Authorization
-The Interpreter authorization problem is more complex. Different interpreters require different strategies.
-
-For the Hive interpreter, we need to maintain per-user connection pools.
-The interpreter method takes the user string as parameter and executes the jdbc call using a connection in the user's connection pool.
-
-In case of Presto, we don't need password if the Presto DB server runs backend code using HDFS authorization for the user.
-For databases like Vertica and Mysql we would have to store password information for users.
--- a/docs/security/overview.md
+++ b/docs/security/overview.md
@ -23,7 +23,6 @@ limitations under the License.

 There are three aspects to Zeppelin security:

-* Authentication: is the user who they say they are? [More](overview.html)
+* Authentication: is the user who they say they are? [More](authentication.html)
 * Notebook authorization: does the user have permissions to read or write to a note? [More](notebook_authorization.html)
-* Interpreter authorization: does the user have permissions to perform interpreter operations e.g. access data source objects? [More](interpreter_authorization.html)
-
+* Interpreter and data source authorization: does the user have permissions to perform interpreter operations or access data source objects? [More](interpreter_authorization.html)