[ZEPPELIN-1320] Run zeppelin interpreter process as web front end user #1554
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
prabhjyotsingh
changed the title
Contributor
Author
|
know issue: restart of interpreter does not work as expected. |
Member
|
@prabhjyotsingh Do you think is there a way to impersonate without adding ssh key when user logged in using PAM authentication #1589? |
Contributor
Author
|
Sure let me check, I think it could be possible. |
prabhjyotsingh
changed the title
Contributor
Author
|
Updated screen shot, ready for review. @Leemoonsoo I'll try to take care of "PAM authentication" in a different PR. |
prabhjyotsingh
force-pushed
the
ZEPPELIN-1320-2
branch
from
cf4e346 to
1b26cc0
Compare
Member
|
@prabhjyotsingh LGTM. |
Leemoonsoo
reviewed
Nov 15, 2016
bin/interpreter.sh
Outdated
| getZeppelinVersion | ||
| ;; | ||
| u) | ||
| ZEPPELIN_SSH_COMMAND="ssh ${OPTARG}@localhost " |
Member
There was a problem hiding this comment.
How about make ZEPPELIN_SSH_COMMAND configurable? because some user may run ssh in non standard port, some user may even want to use different command, like sudo, to impersonate.
The idea is, we can make this part just get impersonate user
u)
ZEPPELIN_IMPERSONATE_USER="${OPTARG}"and then we can define ZEPPELIN_IMPERSONATE_CMD from bin/common.sh in configurable way
if [[ -z "$ZEPPELIN_IMPERSONATE_CMD" ]]; then
ZEPPELIN_IMPERSONATE_CMD=`echo "ssh ${ZEPPELIN_IMPERSONATE_USER}@localhost"`
else
ZEPPELIN_IMPERSONATE_CMD=$(eval "echo ${ZEPPELIN_IMPERSONATE_CMD}")
fiSo user can override ZEPPELIN_IMPERSONATE_CMD in conf/zeppelin-env.sh or inside of interpreter property, for example
ZEPPELIN_IMPERSONATE_CMD='sudo -u ${ZEPPELIN_IMPERSONATE_USER}'
what do you think?
Contributor
Author
There was a problem hiding this comment.
Yes, sure, that totally make sense. I'll do it right away.
Member
|
LGTM and merge to master if there're no further comments. |
tae-jun
pushed a commit
to tae-jun/zeppelin
that referenced
this pull request
Nov 23, 2016
Have recreated this from apache#1322 ### What is this PR for? While running a Notebook using shell, spark, python uses same user as which zeppelin server is running. Which means these interprets have same permission on file system as zeppelin server. IMO users should be able to impersonate themselves as a complete security system. ### What type of PR is it? [Improvement] ### Todos - [x] - Update doc - [x] - FIX NPEs - [x] - FIX CI ### What is the Jira issue? - [ZEPPELIN-1320](https://issues.apache.org/jira/browse/ZEPPELIN-1320) ### How should this be tested? - Enable shiro auth in shiro.ini - Add ssh key for the same user you want to try and impersonate (say user1). ``` adduser user1 ssh-keygen ssh user1localhost mkdir -p .ssh cat ~/.ssh/id_rsa.pub | ssh user1localhost 'cat >> .ssh/authorized_keys' ``` - Start zeppelin server, try and run following in paragraph in a notebook - Go to interpreter setting page, and enable "User Impersonate" in any of the interpreter (in my example its shell interpreter) ``` %sh whoami ``` Check that it should run as new user, i.e. "user1" ### Screenshots (if appropriate)  ### Questions: - Does the licenses files need update? no - Is there breaking changes for older versions? no - Does this needs documentation? yes Author: Prabhjyot Singh <[email protected]> Closes apache#1554 from prabhjyotsingh/ZEPPELIN-1320-2 and squashes the following commits: dc69c9d [Prabhjyot Singh] @Leemoonsoo review comment: making ZEPPELIN_SSH_COMMAND configurable 1b26cc0 [Prabhjyot Singh] add doc 5a76839 [Prabhjyot Singh] show User Impersonate only when interpreter setting is "per user" and "isolated" 02c3084 [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1320-2 03b2f20 [Prabhjyot Singh] use user instead of "" 0ff80ec [Prabhjyot Singh] Merge remote-tracking branch 'origin/master' into ZEPPELIN-1320-2 dd0731d [Prabhjyot Singh] fix missing test cases aff1bf0 [Prabhjyot Singh] user should have option to run these interpreters as different user.
1 task
asfgit
pushed a commit
that referenced
this pull request
Nov 29, 2016
### What is this PR for? #1554 added a `processenduser.md`, but the navigation menu different name on it's link `userimpersonation.html` This PR changes filename from `processenduser.md` to `userimpersonation.md`. ### What type of PR is it? Hot Fix ### Todos * [x] - Change file name ### What is the Jira issue? #1554 ### How should this be tested? build docs and navigate "Interpreter -> Interpreter User Impersonation" ### Screenshots (if appropriate) ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? no Author: Lee moon soo <[email protected]> Closes #1704 from Leemoonsoo/fix_link and squashes the following commits: 8ede96e [Lee moon soo] Change filename
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Have recreated this from #1322
What is this PR for?
While running a Notebook using shell, spark, python uses same user as which zeppelin server is running. Which means these interprets have same permission on file system as zeppelin server.
IMO users should be able to impersonate themselves as a complete security system.
What type of PR is it?
[Improvement]
Todos
What is the Jira issue?
How should this be tested?
Check that it should run as new user, i.e. "user1"
Screenshots (if appropriate)
Questions: