Repository: zeppelin
Updated Branches:
  refs/heads/branch-0.8 d3de51562 -> 852826156


[ZEPPELIN-3350] Don't allow set cronExecutionUser

### What is this PR for?
This PR just does a quick fix this security issue.
1. Remove the setting cron user in frontend
2. Run the note via owner.

### What type of PR is it?
[Bug Fix ]

### Todos
* [ ] - Task

### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-3350

### How should this be tested?
* Manually tested

### Screenshots (if appropriate)
![screen shot 2018-04-09 at 3 04 06 
pm](https://user-images.githubusercontent.com/164491/38483974-707dca56-3c07-11e8-918a-cd47ed94ee99.png)

### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No

Author: Jeff Zhang <zjf...@apache.org>

Closes #2914 from zjffdu/ZEPPELIN-3350 and squashes the following commits:

63325d0 [Jeff Zhang] [ZEPPELIN-3350] Don't allow set cronExecutionUser

(cherry picked from commit 08c9ad9a6692405884ae2b2f730868030247762f)
Signed-off-by: Jeff Zhang <zjf...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/85282615
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/85282615
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/85282615

Branch: refs/heads/branch-0.8
Commit: 85282615681e895d477417e9f9b80efdb221bf2c
Parents: d3de515
Author: Jeff Zhang <zjf...@apache.org>
Authored: Wed Apr 4 18:13:06 2018 +0800
Committer: Jeff Zhang <zjf...@apache.org>
Committed: Tue Apr 10 15:52:05 2018 +0800

----------------------------------------------------------------------
 docs/usage/other_features/cron_scheduler.md           |  2 +-
 zeppelin-web/src/app/notebook/notebook-actionBar.html |  7 -------
 .../main/java/org/apache/zeppelin/notebook/Note.java  | 14 +++++---------
 3 files changed, 6 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/85282615/docs/usage/other_features/cron_scheduler.md
----------------------------------------------------------------------
diff --git a/docs/usage/other_features/cron_scheduler.md 
b/docs/usage/other_features/cron_scheduler.md
index c7fc284..7223045 100644
--- a/docs/usage/other_features/cron_scheduler.md
+++ b/docs/usage/other_features/cron_scheduler.md
@@ -41,7 +41,7 @@ You can set a cron schedule easily by clicking each option 
such as `1m` and `5m`
 
 You can set the cron schedule by filling in this form. Please see [Cron 
Trigger 
Tutorial](http://www.quartz-scheduler.org/documentation/quartz-2.2.x/tutorials/crontrigger)
 for the available cron syntax.
 
-### Cron executing user
+### Cron executing user (It is removed from 0.8 where it enforces the cron 
execution user to be the note owner for security purpose)
 
 You can set the cron executing user by filling in this form and press the 
enter key.
 

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/85282615/zeppelin-web/src/app/notebook/notebook-actionBar.html
----------------------------------------------------------------------
diff --git a/zeppelin-web/src/app/notebook/notebook-actionBar.html 
b/zeppelin-web/src/app/notebook/notebook-actionBar.html
index 7559a87..78ca77e 100644
--- a/zeppelin-web/src/app/notebook/notebook-actionBar.html
+++ b/zeppelin-web/src/app/notebook/notebook-actionBar.html
@@ -281,13 +281,6 @@ limitations under the License.
                 </p>
               </div>
               <div>
-                <span>- Cron executing user (click enter in field to 
submit)</span>
-                <input type="text"
-                       ng-model="note.config.cronExecutingUser"
-                       
ng-enter="setCronExecutingUser(note.config.cronExecutingUser)"
-                       dropdown-input />
-              </div>
-              <div>
                 <span>- auto-restart interpreter on cron execution </span>
                 <input type="checkbox"
                        ng-model="note.config.releaseresource"

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/85282615/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/Note.java
----------------------------------------------------------------------
diff --git 
a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/Note.java 
b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/Note.java
index 8889a55..3c49eac 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/Note.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/Note.java
@@ -637,16 +637,10 @@ public class Note implements ParagraphJobListener, 
JsonSerializable {
   }
 
   /**
-   * Run all paragraphs sequentially.
+   * Run all paragraphs sequentially. Only used for CronJob
    */
   public synchronized void runAll() {
-    String cronExecutingUser = (String) getConfig().get("cronExecutingUser");
-    if (null == cronExecutingUser) {
-      cronExecutingUser = "anonymous";
-    }
-    AuthenticationInfo authenticationInfo = new AuthenticationInfo();
-    authenticationInfo.setUser(cronExecutingUser);
-    runAll(authenticationInfo, true);
+    runAll(null, true);
   }
 
   public void runAll(AuthenticationInfo authenticationInfo, boolean blocking) {
@@ -654,7 +648,9 @@ public class Note implements ParagraphJobListener, 
JsonSerializable {
       if (!p.isEnabled()) {
         continue;
       }
-      p.setAuthenticationInfo(authenticationInfo);
+      if (authenticationInfo != null) {
+        p.setAuthenticationInfo(authenticationInfo);
+      }
       if (!run(p.getId(), blocking)) {
         logger.warn("Skip running the remain notes because paragraph {} 
fails", p.getId());
         break;

Reply via email to