GitHub user AhyoungRyu opened a pull request:
https://github.com/apache/zeppelin/pull/1694
[ZEPPELIN-1718] Prevent anonymous user to set note permission / interpreter
owner
### What is this PR for?
Currently anonymous user can set note permission / interpreter's owner like
below
e.g.
- An anonymous user can type `admin` / `user1` to the note permission
setting fields. (but it doesn't work actually)
- The anonymous user can remove predefined `Owners` in the interpreter
menu by editing it since we don't check the user's principal for this.
It doesn't make sense actually. At least we should disallow the
non-authenticated users by deactivating those permission related features. So
what I did in this PR is
- "Set permission" checkbox for interpreter owner setting with notice
sentence & related docs link:
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/shiroauthentication.html#security-setup
- Hide note authorization setting fields with notice sentence & related
docs link:
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/notebook_authorization.html
### What type of PR is it?
Bug Fix | Improvement
### Todos
- [ ] disallow anon users to edit all the other interpreter properties :
not only "Set permissions" but also ...
### What is the Jira issue?
[ZEPPELIN-1718](https://issues.apache.org/jira/browse/ZEPPELIN-1718)
### How should this be tested?
### Screenshots (if appropriate)
- Hide authorization setting fields for anon user in the note
<img width="600" alt="note_permission"
src="https://cloud.githubusercontent.com/assets/10060731/20671445/c0553240-b5c0-11e6-8fe8-21ba4f4ae1dc.gif";>
- Disable "Set permission" checkbox to anon user in the interpreter
creation page
<img width="600" alt="screen shot 2016-11-28 at 11 06 17 pm"
src="https://cloud.githubusercontent.com/assets/10060731/20671464/cf1beb5c-b5c0-11e6-8faf-47a73b0ebf38.png";>
- Disable "Set permission" checkbox to anon user in the interpreter
setting update page
<img width="600" alt="edit_interpreter"
src="https://cloud.githubusercontent.com/assets/10060731/20671496/e548cf44-b5c0-11e6-9148-63946829db27.gif";>
### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/AhyoungRyu/zeppelin prevent-anon-user
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zeppelin/pull/1694.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1694
----
commit b59c22b0c4e71c158ffed4bd48d728059ad6077e
Author: AhyoungRyu <[email protected]>
Date: 2016-11-27T16:46:20Z
Prevent to set permission by anonymous user
commit 465a58547f0e383bddced37b294546f5ac1dc165
Author: AhyoungRyu <[email protected]>
Date: 2016-11-28T08:31:49Z
Remove some redundant parts
commit 29a0a08696215dc85bda467f80b0163ee671d35f
Author: AhyoungRyu <[email protected]>
Date: 2016-11-28T10:17:40Z
Revert again
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
![https://cloud.githubusercontent.com/assets/10060731/20671445/c0553240-b5c0-11e6-8fe8-21ba4f4ae1dc.gif"](https://cloud.githubusercontent.com/assets/10060731/20671445/c0553240-b5c0-11e6-8fe8-21ba4f4ae1dc.gif"){kind=link}
![https://cloud.githubusercontent.com/assets/10060731/20671464/cf1beb5c-b5c0-11e6-8faf-47a73b0ebf38.png"](https://cloud.githubusercontent.com/assets/10060731/20671464/cf1beb5c-b5c0-11e6-8faf-47a73b0ebf38.png"){kind=link}
![https://cloud.githubusercontent.com/assets/10060731/20671496/e548cf44-b5c0-11e6-9148-63946829db27.gif"](https://cloud.githubusercontent.com/assets/10060731/20671496/e548cf44-b5c0-11e6-9148-63946829db27.gif"){kind=link}