Hi Adam, You are right that zeppelin only use shiro for authentication, but not for authorization. All the notebook authorization info is stored in custom json file [1] instead of shiro's backend storage. These shiro part is implemented very long time ago, I also don't know the original design purpose. But I think It would be super helpful if you can help on that to unify the authentication and authorization via shiro.
[1] https://github.com/apache/zeppelin/blob/master/zeppelin-zengine/src/main/java/org/apache/zeppelin/storage/LocalConfigStorage.java#L69 Adam Binford <adam...@gmail.com> 于2021年2月15日周一 上午6:26写道: > Hi all, new Zeppelin user here. I started playing around with it to see how > it compares to using Spark Magic for access to a secure hadoop cluster. I > liked the native Spark cluster mode and the integration with Knox as an SSO > mechanism provided a great user experience. I was a little confused though > when the Notebook reader/runner/writer authorizations didn't seem to be > working with groups. I dug into the code and realized it's because while > the URL authorizations I assume are more natively integrated with Shiro, > the notebook authorizations are more custom. > > I apologize if I made any bad assumptions or have anything wrong here, I've > only been working with Zeppelin for a week! > > The current logic seems something like: > - Get user name and all user roles > - Get all notebook entities (for one of writer, reader, etc.) > - Find intersection between these two lists > > I see the main limitation here is that Shiro doesn't natively support "Get > all roles for user", so it's kinda worked around in > ShiroAuthenticationService.getAssociatedRoles, which only handles specific > realms. > > I'm attempting to add the Knox realm as a special case to that method to > get things working in the short term, I can create a ticket and PR when I > get that working if that would be helpful to others. > > Longer term, and without very intimate knowledge of zeppelin or how some of > these decisions were made originally, would it make sense to try to update > the Notebook authorization flow to something like: > - Get all notebook entities > - For each entity, check if user has that name/role > > So that it could be more natively supported by Shiro. I have no idea what > the lift would be for that, but figured I'd bring it up and see if there > were any reasons that it wasn't done in the first place. > > -- > Adam > -- Best Regards Jeff Zhang
