GitHub user prabhjyotsingh opened a pull request: https://github.com/apache/zeppelin/pull/1322
[ZEPPELIN-1320] Security fix for Shell/Spark and Python Interpreter ### What is this PR for? While running a Notebook using shell, spark, python uses same user as which zeppelin server is running. Which means these interprets have same permission on file system as zeppelin server. IMO user should have option to run these interpreters as different user. ### What type of PR is it? [Improvement] ### Todos * [ ] - Update doc ### What is the Jira issue? * [ZEPPELIN-1320](https://issues.apache.org/jira/browse/ZEPPELIN-1320) ### How should this be tested? - Add an user in system say "zeppelin-interpreter" - Add ssh key for the same ``` ssh-keygen ssh zeppelin-interpreter@localhost mkdir -p .ssh cat ~/.ssh/id_rsa.pub | ssh zeppelin-interpreter@localhost 'cat >> .ssh/authorized_keys' ``` - Add `export ZEPPELIN_INTERPRETER_USER="zeppelin-interpreter"` in `zeppelin-env.sh` - Start zeppelin server, try and run following in paragraph in a notebook ``` %sh whoami ``` Check that it should run as new user, i.e. "zeppelin-interpreter" ### Screenshots (if appropriate) <img width="1440" alt="screen shot 2016-08-11 at 8 45 12 pm" src="https://cloud.githubusercontent.com/assets/674497/17593747/8c9eb096-6004-11e6-8487-3e44a1a0d6eb.png"> ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? yes You can merge this pull request into a Git repository by running: $ git pull https://github.com/prabhjyotsingh/zeppelin ZEPPELIN-1320 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1322.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1322 ---- commit 6aafac445db4cd8944caa07280fcdbebb2faea0f Author: Prabhjyot Singh <prabhjyotsi...@gmail.com> Date: 2016-08-11T15:08:12Z user should have option to run these interpreters as different user. ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---