Elgato_dark/zeppelin
1
0
Fork 0
mirror of https://github.com/apache/zeppelin synced 2026-05-24 09:38:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeppelin/docs/security/authentication.md
AhyoungRyu 5975125f18 [ZEPPELIN-1018] Apply auto "Table of Contents" generator to Zeppelin docs website 
### What is this PR for?
I added auto TOC(Table of Contents) generator for Zeppelin documentation website. TOC can help people looking through whole contents at a glance and finding what they want quickly.

I just added `<div id="toc"></div>`  to the each documentation header. [`toc`](https://github.com/apache/zeppelin/compare/master...AhyoungRyu:ZEPPELIN-1018?expand=1#diff-85af09fb498a5667ea455391533f945dR3)  recognize `<h2>` & `<h3>` as a title in the docs  and it automatically generate TOC. So I set a rule for this work. (I'll write this rule on `docs/CONTRIBUTING.md` or [docs/howtocontributewebsite](https://zeppelin.apache.org/docs/0.6.0-SNAPSHOT/development/howtocontributewebsite.html)).

```
# Level-1 Heading  <- Use only for the main title of the page
## Level-2 Heading <- Start with this one
### Level-3 heading <- Only use this one for child of Level-2

toc only recognize Level-2 & Level-3
```

Please see the below attached screenshot image.

### What type of PR is it?
Improvement & Documentation

### Todos
* [x] - Add TOC generator
* [x] - Apply TOC(`<div id="toc"></div>`) to every documentation and reorganize each headers(apply the above rule)
* [x] - Fix some broken code block in several docs
* [x] - Apply TOC to `r.md` (Currently R docs has some duplicated info since [this one](d5e87fb8ba) and [this one](7d6cc7e991) )
* [x] - Apply TOC to `install.md` after #1010 merged
* [x] - Apply TOC to `interpreterinstallation.md` after #1042 merged

### What is the Jira issue?
[ZEPPELIN-1018](https://issues.apache.org/jira/browse/ZEPPELIN-1018)

### How should this be tested?
1. Apply this patch and build `docs/` with [this guide](https://github.com/apache/zeppelin/tree/master/docs#build-documentation)
2.  Visit some docs page. Then you can see TOC in the header of page.

### Screenshots (if appropriate)
 - Automatically generated TOC in Spark interpreter docs page
<img width="831" alt="screen shot 2016-06-16 at 9 37 18 pm" src="https://cloud.githubusercontent.com/assets/10060731/16140902/945b9c7a-340a-11e6-91f3-b6174738bed0.png">

### Questions:
* Does the licenses files need update?
No. Actually I used [jekyll-table-of-contents#copyright](https://github.com/ghiculescu/jekyll-table-of-contents#copyright). But I don't need to add a license for this :)
* Is there breaking changes for older versions? No
* Does this needs documentation? Maybe

Author: AhyoungRyu <fbdkdud93@hanmail.net>

Closes #1031 from AhyoungRyu/ZEPPELIN-1018 and squashes the following commits:

e66397b [AhyoungRyu] Apply TOC to interpreterinstallation.md
009579b [AhyoungRyu] Add more info to 'What is the next?' in install.md
04cf501 [AhyoungRyu] Revert 'where to start' section
b7cbe5f [AhyoungRyu] Fix typo
cf0911c [AhyoungRyu] Rename license file
388f35a [AhyoungRyu] Add jekyll-table-of-contents license info
6394c70 [AhyoungRyu] Fix image path in python.md
d00e4b1 [AhyoungRyu] Move interpreter/screenshot/ -> asset/../img/docs-img/
3ffb383 [AhyoungRyu] Remove duplicated info in r.md & apply toc
a03ca99 [AhyoungRyu] Exclude toc.js from pom.xml
3fae7df [AhyoungRyu] Apply auto generated toc to install.md
d114a9d [AhyoungRyu] Address @felixcheung feedback
6a788fe [AhyoungRyu] Resize TOC tab indent
6760c00 [AhyoungRyu] Apply auto TOC to all of docs under docs/storage/
fbde57f [AhyoungRyu] Apply auto TOC to all of docs under docs/quickstart/
db76eb6 [AhyoungRyu] Apply auto TOC to all of docs under docs/install/
f35db47 [AhyoungRyu] Apply auto TOC to all of docs under docs/displaysystem/
b05365f [AhyoungRyu] Apply auto TOC to all of docs under docs/rest-api/
163691c [AhyoungRyu] Apply auto TOC to all of docs under docs/manual/
bef398e [AhyoungRyu] Apply auto TOC to all of docs under docs/development/
9c5f76b [AhyoungRyu] Apply auto TOC to all of docs under docs/interpreter/
587d4ba [AhyoungRyu] Apply auto TOC to all of docs under docs/security/
1f10b97 [AhyoungRyu] Change toc configuration
78dca9e [AhyoungRyu] Add toc.js for auto generating TOC
2016-06-25 22:57:44 -07:00

6.1 KiB
Raw Blame History

layout title description group
page Authentication for NGINX Authentication for NGINX security

Authentication for NGINX

Authentication is company-specific. One option is to use Basic Access Authentication.

HTTP Basic Authentication using NGINX

Quote from Wikipedia: NGINX is a web server. It can act as a reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well as a load balancer and an HTTP cache.

So you can use NGINX server as proxy server to serve HTTP Basic Authentication as a separate process along with Zeppelin server. Here are instructions how to accomplish the setup NGINX as a front-end authentication server and connect Zeppelin at behind.

This instruction based on Ubuntu 14.04 LTS but may work with other OS with few configuration changes.

  1. Install NGINX server on your server instance

    You can install NGINX server with same box where zeppelin installed or separate box where it is dedicated to serve as proxy server.

    $ apt-get install nginx

    NOTE : On pre 1.3.13 version of NGINX, Proxy for Websocket may not fully works. Please use latest version of NGINX. See: NGINX documentation.

  2. Setup init script in NGINX

    In most cases, NGINX configuration located under /etc/nginx/sites-available. Create your own configuration or add your existing configuration at /etc/nginx/sites-available.

    $ cd /etc/nginx/sites-available
$ touch my-zeppelin-auth-setting

    Now add this script into my-zeppelin-auth-setting file. You can comment out optional lines If you want serve Zeppelin under regular HTTP 80 Port.

    upstream zeppelin {
    server [YOUR-ZEPPELIN-SERVER-IP]:[YOUR-ZEPPELIN-SERVER-PORT];   # For security, It is highly recommended to make this address/port as non-public accessible
}

# Zeppelin Website
server {
    listen [YOUR-ZEPPELIN-WEB-SERVER-PORT];
    listen 443 ssl;                                      # optional, to serve HTTPS connection
    server_name [YOUR-ZEPPELIN-SERVER-HOST];             # for example: zeppelin.mycompany.com

    ssl_certificate [PATH-TO-YOUR-CERT-FILE];            # optional, to serve HTTPS connection
    ssl_certificate_key [PATH-TO-YOUR-CERT-KEY-FILE];    # optional, to serve HTTPS connection

    if ($ssl_protocol = "") {
        rewrite ^ https://$host$request_uri? permanent;  # optional, to force use of HTTPS
    }

    location / {    # For regular websever support
        proxy_pass http://zeppelin;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_redirect off;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    location /ws {  # For websocket support
        proxy_pass http://zeppelin;
        proxy_http_version 1.1;
        proxy_set_header Upgrade websocket;
        proxy_set_header Connection upgrade;
        proxy_read_timeout 86400;
    }
}

    Then make a symbolic link to this file from /etc/nginx/sites-enabled/ to enable configuration above when NGINX reloads.

    $ ln -s /etc/nginx/sites-enabled/my-zeppelin-auth-setting /etc/nginx/sites-available/my-zeppelin-auth-setting

  3. Setup user credential into .htpasswd file and restart server

    Now you need to setup .htpasswd file to serve list of authenticated user credentials for NGINX server.

    $ cd /etc/nginx
$ htpasswd -c htpasswd [YOUR-ID]
$ NEW passwd: [YOUR-PASSWORD]
$ RE-type new passwd: [YOUR-PASSWORD-AGAIN]

    Or you can use your own apache .htpasswd files in other location for setting up property: auth_basic_user_file

    Restart NGINX server.

    $ service nginx restart

    Then check HTTP Basic Authentication works in browser. If you can see regular basic auth popup and then able to login with credential you entered into .htpasswd you are good to go.

  4. More security consideration

  • Using HTTPS connection with Basic Authentication is highly recommended since basic auth without encryption may expose your important credential information over the network.
  • Using Shiro Security feature built-into Zeppelin is recommended if you prefer all-in-one solution for authentication but NGINX may provides ad-hoc solution for re-use authentication served by your system's NGINX server or in case of you need to separate authentication from zeppelin server.
  • It is recommended to isolate direct connection to Zeppelin server from public internet or external services to secure your zeppelin instance from unexpected attack or problems caused by public zone.

Another option

Another option is to have an authentication server that can verify user credentials in an LDAP server. If an incoming request to the Zeppelin server does not have a cookie with user information encrypted with the authentication server public key, the user is redirected to the authentication server. Once the user is verified, the authentication server redirects the browser to a specific URL in the Zeppelin server which sets the authentication cookie in the browser. The end result is that all requests to the Zeppelin web server have the authentication cookie which contains user and groups information.