GitHub user hkropp opened a pull request:
https://github.com/apache/zeppelin/pull/1589
[Zeppelin-1611] - Support PAM (System User) Authentication
### What is this PR for?
This PR adds
[PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module)
authentication support based on the introduced Shiro security implementation.
With PAM support system users have immediate access to a secured Zeppelin
instance.
### What type of PR is it?
Feature
### Todos
* [x] - Create PAM realm
* [x] - Create test for PAM authentication
* [x] - Test with running Zeppelin instance
### What is the Jira issue?
[ZEPPELIN-1611](https://issues.apache.org/jira/browse/ZEPPELIN-1611])
### How should this be tested?
`PamRealmTest` executes an automated test if the environment variables
`PAM_USER` and `PAM_PASS` are set. This should be set to system username and
password.
The test also includes a main function to manually execute the test.
Setting the environment variables for example on MacOS for your IDE use
`launchctl setenv PAM_USER user` and `launchctl setenv PAM_PASS xxxxx`, the
test can then be run from your IDE.
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Yes
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/hkropp/incubator-zeppelin ZEPPELIN-1611
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1589.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1589
----
commit 257f14e333c28c1b4b8f37e47ba9963221287c5c
Author: hkropp <[email protected]>
Date: 2016-11-03T09:35:36Z
ZEPPELIN-1611
commit b673c76be855d7a13f7b34fda0032c2f8040694c
Author: hkropp <[email protected]>
Date: 2016-11-03T09:35:45Z
Merge branch 'master' of github.com:apache/incubator-zeppelin into
ZEPPELIN-1611
commit efa79afa47147d6e1caa0767d4929e3c752c64e3
Author: hkropp <[email protected]>
Date: 2016-11-03T09:35:36Z
ZEPPELIN-1611
commit 00cc0320840a08a76925dbfbf0494f0623c0e558
Author: Anthony Corbacho <[email protected]>
Date: 2016-11-03T02:59:07Z
[ZEPPELIN-1586] Add security check in NotebookRestApi
### What is this PR for?
Bring some security check in `NotebookRestApi`.
### What type of PR is it?
[Bug Fix | Improvement | Refactoring]
### Todos
- [x] - Create a proper way to throw webapp error
- [x] - Add in `NotebookAuthorization` some method to check if user is
owner, reader or writer
- [x] - Add Authorization check in `NotebookRestapi`
- [x] - Add New test for security in notebook rest api
### What is the Jira issue?
- [ZEPPELIN-1586](https://issues.apache.org/jira/browse/ZEPPELIN-1586)
### How should this be tested?
First, force Zeppelin to use auth.
- In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to
**false**
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
- In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file
```
#/** = anon
/** = authc
```
- Start Zeppelin, login and set some permission to a note
- try to get a note from Zeppelin Rest Api
`http://localhost:8080/api/notebook/{noteId}` (you can use your browser or curl
(if you use curl please add shiro token to curl cookie))
### Screenshots (if appropriate)
### Questions:
- Does the licenses files need update? No
- Is there breaking changes for older versions? No
- Does this needs documentation? Maybe
Author: Anthony Corbacho <[email protected]>
Closes #1567 from anthonycorbacho/fix/ZEPPELIN-1586 and squashes the
following commits:
6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting
down zeppelin server
30815c1 [Anthony Corbacho] Fix typo
bab7e60 [Anthony Corbacho] Rewording
decd1e9 [Anthony Corbacho] Simple implementation of notebook test with
shiro (security)
b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle
the case of tests with shiro (security), I also added some utility http method
to do action with authenticated user
db0c39c [Anthony Corbacho] Adress review and fix typos
eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner
c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid
method not found where throw WebAppException
ed404a4 [Anthony Corbacho] Rename permission check note :: be more
meaningful
6030776 [Anthony Corbacho] Handle security check
fe380ab [Anthony Corbacho] Add webapp exception handler :)
21f9288 [Anthony Corbacho] Replace check of aninonimous by method
0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are
member of the note (at least owner, reader, writer)
da3415f [Anthony Corbacho] Add new method to help to determinate if user is
part of writer and/or owner for the given note
4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get
is zeppelin is running on anonimous mode or not
commit bbf17da9e5ac272227083fcdafadb13842898cac
Author: hkropp <[email protected]>
Date: 2016-11-03T09:42:04Z
Merge branch 'ZEPPELIN-1611' of github.com:hkropp/incubator-zeppelin into
ZEPPELIN-1611
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
