mirror of
https://github.com/apache/zeppelin
synced 2026-05-24 09:38:26 +00:00
13 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
AhyoungRyu
|
90decd2a1f |
[DOCS] Remove outdated 'Security Setup' section in SECURITY-README
### What is this PR for? [SECURITY-README.md](https://github.com/apache/zeppelin/blob/master/SECURITY-README.md) was added by #53 when Shiro auth was implemented for the first time. But I think we need to keep "Security Setup" information in one source; [Official docs website](https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/shiroauthentication.html#security-setup) and guide ppl to see this official docs page so that `SECURITY-README.md` can only contain dev related contents (not step by step setup guide). ### What type of PR is it? Documentation ### What is the Jira issue? N/A ### How should this be tested? Just clicking "View" would be enough I guess :) ### Questions: * Does the licenses files need update? N/A * Is there breaking changes for older versions? N/A * Does this needs documentation? N/A Author: AhyoungRyu <fbdkdud93@hanmail.net> Closes #1829 from AhyoungRyu/remove/duplicatedSection and squashes the following commits: |
||
|
AhyoungRyu
|
e5ac1134c3 |
[DOCS] Update Shiro conf file with new package names in docs accordingly
### What is this PR for?
Based on #1700, https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/shiroauthentication.html#groups-and-permissions-optional needs be updated accordingly.
```
activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
ldapRealm = org.apache.zeppelin.server.LdapGroupRealm
```
to
```
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm
```
### What type of PR is it?
Documentation
### What is the Jira issue?
N/A
### How should this be tested?
No need to test this I guess. I just changed 3 words :D
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no
Author: AhyoungRyu <fbdkdud93@hanmail.net>
Closes #1703 from AhyoungRyu/update/shiro-config-docs and squashes the following commits:
|
||
|
Lee moon soo
|
5b1b811540 |
[ZEPPELIN-1644] make document easier to follow key instructions
### What is this PR for? Doc should deliver key features and recommended usage more simple and easy way. - docs/install/install.md has lots of duplicated section with README.md. - docs/install/install.md includes install from binary as well as build from source. I've seen that makes some beginners try download binary and then source build it again. - recommended and key usage need to be highlighted. - Be less verbose in key instructions. Move optional, additional info from in the middle of key instruction to end of the each page. ### What type of PR is it? Improvement ### Todos * [x] - improve doc ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-1644 ### How should this be tested? Run doc locally ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? no Author: Lee moon soo <moon@apache.org> Closes #1615 from Leemoonsoo/ZEPPELIN-1644 and squashes the following commits: |
||
|
hkropp
|
f866d234a1 |
[Zeppelin-1611] - Support PAM (System User) Authentication
### What is this PR for?
This PR adds [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication support based on the introduced Shiro security implementation. With PAM support system users have immediate access to a secured Zeppelin instance.
### What type of PR is it?
Feature
### Todos
* [x] - Create PAM realm
* [x] - Create test for PAM authentication
* [x] - Test with running Zeppelin instance
### What is the Jira issue?
[ZEPPELIN-1611](https://issues.apache.org/jira/browse/ZEPPELIN-1611])
### How should this be tested?
`PamRealmTest` executes an automated test if the environment variables `PAM_USER` and `PAM_PASS` are set. This should be set to system username and password.
The test also includes a main function to manually execute the test. Setting the environment variables for example on MacOS for your IDE use `launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the test can then be run from your IDE.
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Yes
Author: hkropp <hkropp@hortonworks.com>
Closes #1589 from hkropp/ZEPPELIN-1611 and squashes the following commits:
|
||
|
Anthony Corbacho
|
f7c7efdb86 |
[DOC] Update shiro after merging #1568
### What is this PR for? A simple update of the documentation to let user know how that they need to copy `shiro.ini.template` to `shiro.ini` ### What type of PR is it? [Documentation] ### Screenshots (if appropriate)  ### Questions: * Does the licenses files need update? NO * Is there breaking changes for older versions? NO * Does this needs documentation? NO Author: Anthony Corbacho <corbacho.anthony@gmail.com> Closes #1571 from anthonycorbacho/doc/ShiroTemplate and squashes the following commits: |
||
|
Rohit Choudhary
|
5ac3faeba4 |
[ZEPPELIN-530] Added changes for Credential Provider, using hadoop commons Credential apis
### What is this PR for? This is the first step in order to ensure clear text passwords are not stored in the configuration files. To start with this PR will take care of getting AD system password from the .jceks file, configured by the user specified in the shiro.ini file. Going forward the same keystore can be used to read passwords for other systems as well. If the hadoopSecurityCredentialPath path is present and not empty in the shiro.ini, then the password is read from the keystore file and it need not be stored inside the shiro.ini file. ### What type of PR is it? [ Improvement] ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-530 ### How should this be tested? Create a keystore file using the hadoop credential commandline, for this the hadoop commons should be in the classpath `hadoop credential create activeDirectoryRealm.systempassword -provider jceks://file/user/zeppelin/conf/zeppelin.jceks` Change the following values in the Shiro.ini file, and uncomment the line: `activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks` ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No. This is an additional option. * Does this needs documentation? Yes ### Tasks * Documentation Author: Rohit Choudhary <rconline@gmail.com> Closes #1315 from rconline/ZEPPELIN-530 and squashes the following commits: |
||
|
AhyoungRyu
|
85d4df4f0c |
[ZEPPELIN-1219] Add searching feature to Zeppelin docs site
### What is this PR for? As more and more document pages are added, it's really hard to find specific pages. So I added searching feature to Zeppelin documentation site([jekyll](https://jekyllrb.com/) based site) using [lunr.js](http://lunrjs.com/). - **How does it work?** I created [`search_data.json`]( |
||
|
Anthony Corbacho
|
e6f51e7183 |
[ZEPPELIN-1164] ZeppelinHub Realm
### What is this PR for? Add a new Shiro Realm that lets users authenticate in Apache Zeppelin using their ZeppelinHub credentials. ### What type of PR is it? `Feature` ### Todos * [x] - Create ZeppelinHub Realm that extends `AuthorizingRealm`. * [x] - Update `shiro.ini` file and add ZeppelinHub configuration template. * [x] - Add documentation ### What is the Jira issue? [Issue 1164](https://issues.apache.org/jira/browse/ZEPPELIN-1164) ### How should this be tested? - Assuming that you already have an account [Zeppelinhub](https://www.zeppelinhub.com/register), edit `conf/shiro.ini` file and uncomment ZeppelinHub related configuration. - Start your Zeppelin - Login with your ZeppelinHub credentials. ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? YES Author: Anthony Corbacho <corbacho.anthony@gmail.com> Closes #1173 from anthonycorbacho/feat/ZeppelinHubAuthentication and squashes the following commits: |
||
|
AhyoungRyu
|
1a2cceddf3 |
[ZEPPELIN-987] Enable user to secure interpreter setting, credentials and configurations info
### What is this PR for? For some user cases, people might want to hide **Interpreter Setting**, **Credentials** and **Configurations** information to other users (who are defined in `conf/shiro.ini`). So I added ``` #/api/interpreter/** = authc, roles[admin] #/api/configurations/** = authc, roles[admin] #/api/credential/** = authc, roles[admin] ``` below the [ [urls] ](https://github.com/apache/zeppelin/blob/master/conf/shiro.ini#L38) section. This issue was originally suggested at [Zeppelin user mailing list](https://mail-archives.apache.org/mod_mbox/zeppelin-users/201606.mbox/%3CCAPgU7Y%3DBJrXQ_P0ond4PTukoya0FEjwoPuUb31iN3qwo8iyM1Q%40mail.gmail.com%3E) by TomNorden ### What type of PR is it? Improvement | Documentation ### Todos * [x] - Add `interpreter`, `credential` and `configuration` url to `conf/shiro.ini` * [x] - Update `shiroauthentication.md` for this change * [x] - Redirect to home with ngToast error message when status is `401` * [x] - Rebase after #1100 merged and add error message to `Credential` menu as well ### What is the Jira issue? [ZEPPELIN-987](https://issues.apache.org/jira/browse/ZEPPELIN-987) ### How should this be tested? 1. Apply this patch and restart Zeppelin 2. Login with `admin` and `password1` 3. Go to interpreter, credential and configuration tab -> You can see all of the information in each tabs 4. Logout -> Login again with `user1` and `password2` 5. Go to interpreter, credential and configuration tab -> In this time, you can't see all of the information in each tabs ### Screenshots (if appropriate) - When you login with `user1` (doesn't have permission to see the interpreter, credential and cofiguration info) - interpreter menu  - configuration menu  - credential menu  - `shiroauthentication.md` <img width="807" alt="screen shot 2016-06-10 at 12 25 02 pm" src="https://cloud.githubusercontent.com/assets/10060731/15976949/a49bc542-2f0a-11e6-8869-8575ba8f1875.png"> ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? Yes, so I updated. Author: AhyoungRyu <fbdkdud93@hanmail.net> Closes #993 from AhyoungRyu/ZEPPELIN-987 and squashes the following commits: |
||
|
AhyoungRyu
|
5975125f18 |
[ZEPPELIN-1018] Apply auto "Table of Contents" generator to Zeppelin docs website
### What is this PR for? I added auto TOC(Table of Contents) generator for Zeppelin documentation website. TOC can help people looking through whole contents at a glance and finding what they want quickly. I just added `<div id="toc"></div>` to the each documentation header. [`toc`](https://github.com/apache/zeppelin/compare/master...AhyoungRyu:ZEPPELIN-1018?expand=1#diff-85af09fb498a5667ea455391533f945dR3) recognize `<h2>` & `<h3>` as a title in the docs and it automatically generate TOC. So I set a rule for this work. (I'll write this rule on `docs/CONTRIBUTING.md` or [docs/howtocontributewebsite](https://zeppelin.apache.org/docs/0.6.0-SNAPSHOT/development/howtocontributewebsite.html)). ``` # Level-1 Heading <- Use only for the main title of the page ## Level-2 Heading <- Start with this one ### Level-3 heading <- Only use this one for child of Level-2 toc only recognize Level-2 & Level-3 ``` Please see the below attached screenshot image. ### What type of PR is it? Improvement & Documentation ### Todos * [x] - Add TOC generator * [x] - Apply TOC(`<div id="toc"></div>`) to every documentation and reorganize each headers(apply the above rule) * [x] - Fix some broken code block in several docs * [x] - Apply TOC to `r.md` (Currently R docs has some duplicated info since [this one]( |
||
|
Prabhjyot Singh
|
24922e1036 |
[Zeppelin 946] Permissions not honoring group
### What is this PR for? Error: Insufficient privileges to write notebook. Allowed users or roles: [admin, zeppelinWrite] But the user randerson belongs to: [randerson] It's seems clear that user randerson isn't mapped to any roles, or groups (even though he of course is a member of the zeppelinWrite group in AD and as a result also part of the local admin Role). A TCPDUMP reveals that during login, all of my group memberships are in fact returned during the ldap bind operation. However, when I attempt to modify a notebook, a call is never made to AD, to pull back my group memberships. It doesn't seem to look at my local group memberships (/etc/group) either. ### What type of PR is it? [Bug Fix] ### Todos * [x] - fix for permissions not honoring group * [x] - read roles from shiro.ini * [x] - at times group name was displaying instead of user/principal name. * [x] - doc ### What is the Jira issue? [ZEPPELIN-946](https://issues.apache.org/jira/browse/ZEPPELIN-946) ### Screenshots/How should this be tested? Use one of the following setting for IniRealm, LDAP or AD in shiro.ini [main] admin = password1, admin finance1 = finance1, finance finance2 = finance2, finance hr1 = hr1, hr hr2 = hr2, hr activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm activeDirectoryRealm.systemUsername = userNameA activeDirectoryRealm.systemPassword = passwordA activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM activeDirectoryRealm.url = ldap://ldap.test.com:389 activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" activeDirectoryRealm.authorizationCachingEnabled = false ldapRealm = org.apache.zeppelin.server.LdapGroupRealm # search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM ldapRealm.contextFactory.url = ldap://ldap.test.com:389 ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM ldapRealm.contextFactory.authenticationMechanism = SIMPLE [roles] admin = * hr = * finance = * group1 = * [urls] /api/version = anon /** = authc Login as user1 (say finance1), and set a permission of a notebook as "finance" <img width="1282" alt="screen shot 2016-06-11 at 9 50 32 am" src="https://cloud.githubusercontent.com/assets/674497/15983178/aad710ee-2fbc-11e6-861d-508ecc8c7b74.png"> Save setting <img width="1281" alt="screen shot 2016-06-11 at 9 51 05 am" src="https://cloud.githubusercontent.com/assets/674497/15983180/aad86ea8-2fbc-11e6-8b68-4571496ec733.png"> Now logout and login as user2 (say finance2) which belong to the same group as above "finance", verify that you have access to the same notebook. <img width="1282" alt="screen shot 2016-06-11 at 9 51 25 am" src="https://cloud.githubusercontent.com/assets/674497/15983181/aad9a78c-2fbc-11e6-8a41-a3dc108cabdc.png"> Logout and login again, this time as a user that does not belong to the group "finance", a user say hr1. Verify that this user does not have permission to view the same notebook. <img width="1281" alt="screen shot 2016-06-11 at 9 51 42 am" src="https://cloud.githubusercontent.com/assets/674497/15983179/aad7794e-2fbc-11e6-9002-f7b0fc54ac59.png"> ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? no Author: Prabhjyot Singh <prabhjyotsingh@gmail.com> Closes #986 from prabhjyotsingh/ZEPPELIN-946 and squashes the following commits: |
||
|
Mina Lee
|
81adf09f21 |
[ZEPPELIN-980] Move git repository from incubator-zeppelin to zeppelin
### What is this PR for? git repo infra have moved from incubator-zeppelin to zeppelin ### What type of PR is it? Hot Fix ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: Mina Lee <minalee@apache.org> Closes #983 from minahlee/ZEPPELIN-980 and squashes the following commits: |
||
|
AhyoungRyu
|
aff2755eb7 |
Update/shiro docs
### What is this PR for? Currently, Zeppelin has two authentication docs. One is [**Authentication**](https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html) and the other is [**Shiro Authentication**](https://zeppelin.incubator.apache.org/docs/0.6.0-incubating-SNAPSHOT/manual/shiroauthentication.html). As a user, it's little bit confused. So I changed the category of `shiroauthentication.md` file from `manual` to `security` and also changed the name of `Authentication` to `Authentication for NGINX`. Please see the below screenshot images :) ### What type of PR is it? Improvement ### Todos * [x] - Add `conf/shiro.ini` file to `.gitignore` * [x] - Update `zeppelin-login.png` screenshot image file in `shiroauthentication.md` * [x] - Change the category of `shiroauthentication.md` file from `manual` -> `security` * [x] - Change `Authentication` -> `Authentication for NGINX` ### What is the Jira issue? ### How should this be tested? ### Screenshots (if appropriate) 1. Updating zeppelin-login.png - before  - after <img width="1272" alt="zeppelin-login" src="https://cloud.githubusercontent.com/assets/10060731/15422244/812541e6-1eb2-11e6-89bc-ed635bc9aaa8.png"> 2. Changing the category of **Shiro Authentication** & Changing **Authentication** -> **Authentication for NGINX** - before  - after  ### Questions: * Does the licenses files need update? No * Is there breaking changes for older versions? No * Does this needs documentation? No Author: AhyoungRyu <fbdkdud93@hanmail.net> Closes #907 from AhyoungRyu/update/shiroDocs and squashes the following commits: |
Renamed from docs/manual/shiroauthentication.md (Browse further)