[GitHub] zeppelin pull request #1567: [ZEPPELIN-1586] Add security check in NotebookR...

[anthonycorbacho]

GitHub user anthonycorbacho reopened a pull request:

    https://github.com/apache/zeppelin/pull/1567

    [ZEPPELIN-1586] Add security check in NotebookRestApi

    ### What is this PR for?
    
    Bring some security check in `NotebookRestApi`.
    ### What type of PR is it?
    
    [Bug Fix | Improvement | Refactoring]
    ### Todos
    - [x] - Create a proper way to throw webapp error
    - [x] - Add in `NotebookAuthorization` some method to check if user is 
owner, reader or writer
    - [x] - Add Authorization check in `NotebookRestapi` 
    - [x] - Add New test for security in notebook rest api
    
    ### What is the Jira issue?
    - [ZEPPELIN-1586](https://issues.apache.org/jira/browse/ZEPPELIN-1586)
    ### How should this be tested?
    
    First, force Zeppelin to use auth.
    - In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to 
**false**
      
      ```
      <property>
      <name>zeppelin.anonymous.allowed</name>
      <value>false</value>
      <description>Anonymous user allowed by default</description>
      </property>
      ```
    - In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
      
      ```
      #/** = anon                                                               
                                                                            
      /** = authc
      ```
    - Start Zeppelin, login and set some permission to a note
    - try to get a note from Zeppelin Rest Api 
`http://localhost:8080/api/notebook/{noteId}` (you can use your browser or curl 
(if you use curl please add shiro token to curl cookie))
    ### Screenshots (if appropriate)
    
    
![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif)
    ### Questions:
    - Does the licenses files need update? No
    - Is there breaking changes for older versions? No
    - Does this needs documentation? Maybe


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/anthonycorbacho/incubator-zeppelin 
fix/ZEPPELIN-1586

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zeppelin/pull/1567.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1567
    
----
commit 4a43b07c05026698fe268b4b45913a3b0f007f74
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-28T05:49:10Z

    Add new method on ZeppelinConfiguration to get is zeppelin is running on 
anonimous mode or not

commit da3415f3b3c12d72e0466a736ccaa0a3231c79ed
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-28T07:22:13Z

    Add new method to help to determinate if user is part of writer and/or 
owner for the given note

commit 0e4cc3c974cb52b8e6e039375c4748bc89665201
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-28T09:56:04Z

    Add new method to check if user and roles are member of the note (at least 
owner, reader, writer)

commit 21f9288ef7225f56c6a9d92d26209b7440d64c6a
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-28T09:57:06Z

    Replace check of aninonimous by method

commit fe380abf6fc839f316a0eeaae43b3a1e44d58df9
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-28T11:19:32Z

    Add webapp exception handler :)

commit 6030776cd867f7575010ee7fa99e0b0782d308dd
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-28T11:19:54Z

    Handle security check

commit ed404a4e331e28f76cc2a28ebc3498d3343da34e
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-10-29T05:58:04Z

    Rename permission check note :: be more meaningful

commit c8c42b26a0b7403a02f90cce62336c2eb9498873
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-01T03:33:20Z

    Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where 
throw WebAppException

commit eacfa8eee2fde6d9fb1f3f8fc52b7b7967b6c665
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-01T08:24:38Z

    Fix typo and bad copy paste for isOwner

commit db0c39c4a14d7a97b5d7caec3d332056d0773920
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-01T08:30:17Z

    Adress review and fix typos

commit b412266b4dd73fd005a403b77acdec0599e55b3a
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-01T14:48:14Z

    Refactored Abstract rest api test to also handle the case of tests with 
shiro (security), I also added some utility http method to do action with 
authenticated user

commit decd1e9c6c32f761a806e2367eeaa94121931631
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-01T14:49:00Z

    Simple implementation of notebook test with shiro (security)

commit bab7e600780e19533b59c56e7c4b7e32e8841efc
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-01T14:49:26Z

    Rewording

commit 49d4db9eff1fe908d9256ded67f21d53fa48e4d8
Author: Anthony Corbacho <corbacho.anth...@gmail.com>
Date:   2016-11-02T03:24:43Z

    Fix typo

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---