GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567
[ZEPPELIN-1586] Add security check in NotebookRestApi ### What is this PR for? Bring some security check in `NotebookRestApi`. ### What type of PR is it? [Bug Fix | Improvement | Refactoring] ### Todos - [x] - Create a proper way to throw webapp error - [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer - [x] - Add Authorization check in `NotebookRestapi` - [x] - Add New test for security in notebook rest api ### What is the Jira issue? - [ZEPPELIN-1586](https://issues.apache.org/jira/browse/ZEPPELIN-1586) ### How should this be tested? First, force Zeppelin to use auth. - In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to **false** ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` - In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` - Start Zeppelin, login and set some permission to a note - try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/{noteId}` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) ### Screenshots (if appropriate) ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif) ### Questions: - Does the licenses files need update? No - Is there breaking changes for older versions? No - Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 ---- commit 4a43b07c05026698fe268b4b45913a3b0f007f74 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit da3415f3b3c12d72e0466a736ccaa0a3231c79ed Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 0e4cc3c974cb52b8e6e039375c4748bc89665201 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 21f9288ef7225f56c6a9d92d26209b7440d64c6a Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit fe380abf6fc839f316a0eeaae43b3a1e44d58df9 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler :) commit 6030776cd867f7575010ee7fa99e0b0782d308dd Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit ed404a4e331e28f76cc2a28ebc3498d3343da34e Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit c8c42b26a0b7403a02f90cce62336c2eb9498873 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException commit eacfa8eee2fde6d9fb1f3f8fc52b7b7967b6c665 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T08:24:38Z Fix typo and bad copy paste for isOwner commit db0c39c4a14d7a97b5d7caec3d332056d0773920 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T08:30:17Z Adress review and fix typos commit b412266b4dd73fd005a403b77acdec0599e55b3a Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T14:48:14Z Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user commit decd1e9c6c32f761a806e2367eeaa94121931631 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T14:49:00Z Simple implementation of notebook test with shiro (security) commit bab7e600780e19533b59c56e7c4b7e32e8841efc Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T14:49:26Z Rewording commit 49d4db9eff1fe908d9256ded67f21d53fa48e4d8 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-02T03:24:43Z Fix typo ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---