zeppelin

mirror of https://github.com/apache/zeppelin synced 2026-05-24 09:38:26 +00:00

History

Prabhjyot Singh 31f584cfee [ZEPPELIN-1320] Run zeppelin interpreter process as web front end user Have recreated this from https://github.com/apache/zeppelin/pull/1322 ### What is this PR for? While running a Notebook using shell, spark, python uses same user as which zeppelin server is running. Which means these interprets have same permission on file system as zeppelin server. IMO users should be able to impersonate themselves as a complete security system. ### What type of PR is it? [Improvement] ### Todos - [x] - Update doc - [x] - FIX NPEs - [x] - FIX CI ### What is the Jira issue? - [ZEPPELIN-1320](https://issues.apache.org/jira/browse/ZEPPELIN-1320) ### How should this be tested? - Enable shiro auth in shiro.ini - Add ssh key for the same user you want to try and impersonate (say user1). ``` adduser user1 ssh-keygen ssh user1localhost mkdir -p .ssh cat ~/.ssh/id_rsa.pub \| ssh user1localhost 'cat >> .ssh/authorized_keys' ``` - Start zeppelin server, try and run following in paragraph in a notebook - Go to interpreter setting page, and enable "User Impersonate" in any of the interpreter (in my example its shell interpreter) ``` %sh whoami ``` Check that it should run as new user, i.e. "user1" ### Screenshots (if appropriate) ![user impersonate](https://cloud.githubusercontent.com/assets/674497/20213127/f32fdc52-a82c-11e6-8e33-aebd6a943c5f.gif) ### Questions: - Does the licenses files need update? no - Is there breaking changes for older versions? no - Does this needs documentation? yes Author: Prabhjyot Singh <prabhjyotsingh@gmail.org> Closes #1554 from prabhjyotsingh/ZEPPELIN-1320-2 and squashes the following commits: `dc69c9d` [Prabhjyot Singh] @Leemoonsoo review comment: making ZEPPELIN_SSH_COMMAND configurable `1b26cc0` [Prabhjyot Singh] add doc `5a76839` [Prabhjyot Singh] show User Impersonate only when interpreter setting is "per user" and "isolated" `02c3084` [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1320-2 `03b2f20` [Prabhjyot Singh] use user instead of "" `0ff80ec` [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1320-2 `dd0731d` [Prabhjyot Singh] fix missing test cases `aff1bf0` [Prabhjyot Singh] user should have option to run these interpreters as different user.	2016-11-17 19:07:29 -08:00
..
JB	ZEPPELIN-279: move website w/ docs to master branch	2015-09-05 19:48:22 +09:00
themes/zeppelin	[ZEPPELIN-1320] Run zeppelin interpreter process as web front end user	2016-11-17 19:07:29 -08:00

Prabhjyot Singh 31f584cfee [ZEPPELIN-1320] Run zeppelin interpreter process as web front end user

Have recreated this from https://github.com/apache/zeppelin/pull/1322
### What is this PR for?

While running a Notebook using shell, spark, python uses same user as which zeppelin server is running. Which means these interprets have same permission on file system as zeppelin server.
IMO users should be able to impersonate themselves as a complete security system.
### What type of PR is it?

[Improvement]
### Todos
- [x] - Update doc
- [x] - FIX NPEs
- [x] - FIX CI
### What is the Jira issue?
- [ZEPPELIN-1320](https://issues.apache.org/jira/browse/ZEPPELIN-1320)
### How should this be tested?
- Enable shiro auth in shiro.ini
- Add ssh key for the same user you want to try and impersonate (say user1).

```
adduser user1
ssh-keygen
ssh user1localhost mkdir -p .ssh
cat ~/.ssh/id_rsa.pub | ssh user1localhost 'cat >> .ssh/authorized_keys'
```
- Start zeppelin server, try and run following in paragraph in a notebook
- Go to interpreter setting page, and enable "User Impersonate" in any of the interpreter (in my example its shell interpreter)

```
%sh
whoami
```

Check that it should run as new user, i.e. "user1"
### Screenshots (if appropriate)

![user impersonate](https://cloud.githubusercontent.com/assets/674497/20213127/f32fdc52-a82c-11e6-8e33-aebd6a943c5f.gif)

### Questions:
- Does the licenses files need update? no
- Is there breaking changes for older versions? no
- Does this needs documentation? yes

Author: Prabhjyot Singh <prabhjyotsingh@gmail.org>

Closes #1554 from prabhjyotsingh/ZEPPELIN-1320-2 and squashes the following commits:

dc69c9d [Prabhjyot Singh] @Leemoonsoo review comment: making ZEPPELIN_SSH_COMMAND configurable
1b26cc0 [Prabhjyot Singh] add doc
5a76839 [Prabhjyot Singh] show User Impersonate only when interpreter setting is "per user" and "isolated"
02c3084 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1320-2
03b2f20 [Prabhjyot Singh] use user instead of ""
0ff80ec [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1320-2
dd0731d [Prabhjyot Singh] fix missing test cases
aff1bf0 [Prabhjyot Singh] user should have option to run these interpreters as different user.

2016-11-17 19:07:29 -08:00

JB ZEPPELIN-279: move website w/ docs to master branch 2015-09-05 19:48:22 +09:00

themes/zeppelin [ZEPPELIN-1320] Run zeppelin interpreter process as web front end user 2016-11-17 19:07:29 -08:00