zeppelin git commit: [ZEPPELIN-2647] Bypass auth logic when a user logins as admin role

felixcheung Tue, 14 Nov 2017 23:49:02 -0800

Repository: zeppelin
Updated Branches:
  refs/heads/master 951544a74 -> 717a8c1e7



[ZEPPELIN-2647] Bypass auth logic when a user logins as admin role

### What is this PR for?
For administrator, make new admin role that assigned user can see all notebooks.

### What type of PR is it?
Improvement

### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2647

### How should this be tested?
1. Set role name to use as admin through ZEPPELIN_OWNER_ROLE = <role name> or 
zeppelin.owner.role = <role name>.
Default role name is admin
2. Login as user who is not assigned as admin and create notebook.
3. Logout the user and login another user who is assigned as admin, open the 
created notebook.

### Questions:
* Does the licenses files need update? N
* Is there breaking changes for older versions? Y/N
* Does this needs documentation? Y

Author: Yuta Hongo <[email protected]>

Closes #2585 from yu74n/bypass-auth-logic and squashes the following commits:

c706302 [Yuta Hongo] Use StringUtils isBlank()
f6c6345 [Yuta Hongo] Remove description mentioned about private mode
c6e1382 [Yuta Hongo] Disable admin role by default
0170b3f [Yuta Hongo] Check if admin role is valid or not
532a49f [Yuta Hongo] Set blank as default.owner.username default value
98a9de0 [Yuta Hongo] Rename property name
26b818c [Yuta Hongo] Make admin role to bypass auth logic


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/717a8c1e
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/717a8c1e
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/717a8c1e

Branch: refs/heads/master
Commit: 717a8c1e796818ab2494a87afcaf811c42e016fa
Parents: 951544a
Author: Yuta Hongo <[email protected]>
Authored: Thu Nov 9 17:16:28 2017 +0900
Committer: Felix Cheung <[email protected]>
Committed: Tue Nov 14 23:48:30 2017 -0800

----------------------------------------------------------------------
 conf/zeppelin-site.xml.template                 |  6 +++++
 .../zeppelin/conf/ZeppelinConfiguration.java    |  5 +++-
 .../notebook/NotebookAuthorization.java         | 28 ++++++++++++++------
 3 files changed, 30 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/717a8c1e/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 8a2a60e..b59d878 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -394,6 +394,12 @@
 </property>
 
 <property>
+  <name>zeppelin.notebook.default.owner.username</name>
+  <value></value>
+  <description>Set owner role by default</description>
+</property>
+
+<property>
   <name>zeppelin.notebook.public</name>
   <value>true</value>
   <description>Make notebook public by default when created, private 
otherwise</description>

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/717a8c1e/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git 
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
 
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 1bc242d..f45e27b 100644
--- 
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ 
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -716,7 +716,10 @@ public class ZeppelinConfiguration extends 
XMLConfiguration {
     ZEPPELIN_INTERPRETER_LIFECYCLE_MANAGER_TIMEOUT_CHECK_INTERVAL(
         "zeppelin.interpreter.lifecyclemanager.timeout.checkinterval", 6000L),
     ZEPPELIN_INTERPRETER_LIFECYCLE_MANAGER_TIMEOUT_THRESHOLD(
-        "zeppelin.interpreter.lifecyclemanager.timeout.threshold", 3600000L);
+        "zeppelin.interpreter.lifecyclemanager.timeout.threshold", 3600000L),
+
+    ZEPPELIN_OWNER_ROLE("zeppelin.notebook.default.owner.username", "");
+
 
     private String varName;
     @SuppressWarnings("rawtypes")

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/717a8c1e/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/NotebookAuthorization.java
----------------------------------------------------------------------
diff --git 
a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/NotebookAuthorization.java
 
b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/NotebookAuthorization.java
index 69ba891..5f0f066 100644
--- 
a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/NotebookAuthorization.java
+++ 
b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/NotebookAuthorization.java
@@ -24,7 +24,6 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStreamWriter;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
@@ -35,6 +34,7 @@ import java.util.Set;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.zeppelin.conf.ZeppelinConfiguration;
+import org.apache.zeppelin.conf.ZeppelinConfiguration.ConfVars;
 import org.apache.zeppelin.user.AuthenticationInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -293,24 +293,36 @@ public class NotebookAuthorization {
   }
 
   public boolean isOwner(String noteId, Set<String> entities) {
-    return isMember(entities, getOwners(noteId));
+    return isMember(entities, getOwners(noteId)) || isAdmin(entities);
   }
 
   public boolean isWriter(String noteId, Set<String> entities) {
-    return isMember(entities, getWriters(noteId)) || isMember(entities, 
getOwners(noteId));
+    return isMember(entities, getWriters(noteId)) ||
+           isMember(entities, getOwners(noteId)) ||
+           isAdmin(entities);
   }
 
   public boolean isReader(String noteId, Set<String> entities) {
     return isMember(entities, getReaders(noteId)) ||
-            isMember(entities, getOwners(noteId)) ||
-            isMember(entities, getWriters(noteId)) ||
-            isMember(entities, getRunners(noteId));
+           isMember(entities, getOwners(noteId)) ||
+           isMember(entities, getWriters(noteId)) ||
+           isMember(entities, getRunners(noteId)) ||
+           isAdmin(entities);
   }
 
   public boolean isRunner(String noteId, Set<String> entities) {
     return isMember(entities, getRunners(noteId)) ||
-            isMember(entities, getWriters(noteId)) ||
-            isMember(entities, getOwners(noteId));
+           isMember(entities, getWriters(noteId)) ||
+           isMember(entities, getOwners(noteId)) ||
+           isAdmin(entities);
+  }
+
+  private boolean isAdmin(Set<String> entities) {
+    String adminRole = conf.getString(ConfVars.ZEPPELIN_OWNER_ROLE);
+    if (StringUtils.isBlank(adminRole)) {
+      return false;
+    }
+    return entities.contains(adminRole);
   }
 
   // return true if b is empty or if (a intersection b) is non-empty

zeppelin git commit: [ZEPPELIN-2647] Bypass auth logic when a user logins as admin role

Reply via email to