Hi all, new Zeppelin user here. I started playing around with it to see how it compares to using Spark Magic for access to a secure hadoop cluster. I liked the native Spark cluster mode and the integration with Knox as an SSO mechanism provided a great user experience. I was a little confused though when the Notebook reader/runner/writer authorizations didn't seem to be working with groups. I dug into the code and realized it's because while the URL authorizations I assume are more natively integrated with Shiro, the notebook authorizations are more custom.
I apologize if I made any bad assumptions or have anything wrong here, I've only been working with Zeppelin for a week! The current logic seems something like: - Get user name and all user roles - Get all notebook entities (for one of writer, reader, etc.) - Find intersection between these two lists I see the main limitation here is that Shiro doesn't natively support "Get all roles for user", so it's kinda worked around in ShiroAuthenticationService.getAssociatedRoles, which only handles specific realms. I'm attempting to add the Knox realm as a special case to that method to get things working in the short term, I can create a ticket and PR when I get that working if that would be helpful to others. Longer term, and without very intimate knowledge of zeppelin or how some of these decisions were made originally, would it make sense to try to update the Notebook authorization flow to something like: - Get all notebook entities - For each entity, check if user has that name/role So that it could be more natively supported by Shiro. I have no idea what the lift would be for that, but figured I'd bring it up and see if there were any reasons that it wasn't done in the first place. -- Adam
