[ZEPPELIN-1586] Add security check in NotebookRestApi #1567
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 task
minahlee
reviewed
Nov 1, 2016
| private void checkIfUserIsOwner(String noteId, String errorMsg) { | ||
| Set<String> userAndRoles = Sets.newHashSet(); | ||
| userAndRoles.add(SecurityUtils.getPrincipal()); | ||
| userAndRoles.addAll(SecurityUtils.getRoles()); |
Member
There was a problem hiding this comment.
hasReadAuthorization should be changed to isOwner?
Contributor
Author
There was a problem hiding this comment.
Bad copy paste 🗡️
| } | ||
|
|
||
| checkIfUserCanWrite(noteId, | ||
| ownerPermissionError(userAndRoles, notebookAuthorization.getOwners(noteId))); |
Member
There was a problem hiding this comment.
Seems like not only owner but also writer can change permission. Is it intended change? I am asking because this action was only allowed to owner before.
Contributor
Author
There was a problem hiding this comment.
Good catch, i guess a copy pasted so fast :(
| return new JsonResponse(Status.NOT_FOUND, "note not found.").build(); | ||
| } | ||
| checkIfNoteIsNotNull(note); | ||
| checkIfUserIsOwner(noteId, |
Member
There was a problem hiding this comment.
Since writer has permission to insert paragraph to note, wouldn't it make sense to allow them remove paragraph? For example if someone added new paragraph by mistake, he won't be able to remove it
Contributor
Author
There was a problem hiding this comment.
Yes, it make sense
Member
|
Thank you for quick response, I went through the code and it looks good to me. It would be nice if you can add some tests. Meanwhile let me build this branch and test it out. |
Contributor
Author
|
@minahlee yeah, actually i am doing this right now, I also updated to todo tasks thanks for your review! |
Member
|
I tested some of rest apis and it works well. Next step would be applying same policies to websocket. For example |
Contributor
Author
|
@minahlee you are right, I guess the next step will be to abstract this logic from rest api and apply to both rest and websocket. |
Contributor
|
I also tested and was able to reproduce screenshot above. When I was another user, it returned {"status":"FORBIDDEN","message":"Insufficient privileges you cannot get this note"}However, when I didn't log in (i.e. anonymous), the browser(Chrome) redirected me to So in my opinion, it would be better:
{"status":"FORBIDDEN","message":"Please log in"}This is a miracle feature, by the way 👍 |
Contributor
Author
|
@tae-jun thanks for the feedback, let me take a look tomorrow |
tae-jun
reviewed
Nov 1, 2016
| } | ||
| } | ||
|
|
||
| protected static void startUpWithAutenticationEnabled() throws Exception { |
Contributor
There was a problem hiding this comment.
There was a typo! :)
startUpWithAutenticationEnabled -> startUpWithAuthenticationEnabled
Contributor
Author
|
@tae-jun After looking at the code base, I think this case should be handle in another PR, this is kinda out of the scope of this PR and its already becoming super big. But your made a very valid point here and I guess it deserve a Jira ticket. i will try to find some time to handle this special case. What do you think? |
Contributor
|
@anthonycorbacho Nice! I agree with you :) I will open the issue on JIRA. But since I don't know much about the code structure, I may need some help 😃 |
Contributor
Author
|
@tae-jun creating an issue doenst mean that you have to handle it, of course if you want you are welcome to do so, but remember we are a community so that mean we are here to help each others so if you create the PR i can spend some time and work with you on it :) |
Contributor
|
@anthonycorbacho Thanks :-) Don't worry! I do this because I want to do 😄 |
… on anonimous mode or not
…r owner for the given note
…least owner, reader, writer)
…e throw WebAppException
…th shiro (security), I also added some utility http method to do action with authenticated user
Member
|
Same Spark 1.3.1 test profile failure exists on master which looks like below: So I am going to merge this if there is no more discussion. |
Contributor
|
I guess it's same CI error with #1518. There is a log which is: gzip: stdin: unexpected end of file
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
+echo 'Unable to extract spark-1.3.1-bin-hadoop2.3.tgz'
Unable to extract spark-1.3.1-bin-hadoop2.3.tgzThis is because of cache failure of Travis CI, and if it happens, it goes forever. Because caching is done only at the first time. Because of this, if you follow the log more, you can see: SPARK HOME detected nullTherefore, Zeppelin cannot find Spark, and it goes to failure. I think it will pass if you run Travis CI on your own repository. |
Contributor
Author
|
Yeaaaaaay! |
darionyaphet
pushed a commit
to darionyaphet/zeppelin
that referenced
this pull request
Nov 4, 2016
### What is this PR for? Bring some security check in `NotebookRestApi`. ### What type of PR is it? [Bug Fix | Improvement | Refactoring] ### Todos - [x] - Create a proper way to throw webapp error - [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer - [x] - Add Authorization check in `NotebookRestapi` - [x] - Add New test for security in notebook rest api ### What is the Jira issue? - [ZEPPELIN-1586](https://issues.apache.org/jira/browse/ZEPPELIN-1586) ### How should this be tested? First, force Zeppelin to use auth. - In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to **false** ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` - In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` - Start Zeppelin, login and set some permission to a note - try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/{noteId}` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) ### Screenshots (if appropriate)  ### Questions: - Does the licenses files need update? No - Is there breaking changes for older versions? No - Does this needs documentation? Maybe Author: Anthony Corbacho <[email protected]> Closes apache#1567 from anthonycorbacho/fix/ZEPPELIN-1586 and squashes the following commits: 6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server 30815c1 [Anthony Corbacho] Fix typo bab7e60 [Anthony Corbacho] Rewording decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security) b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user db0c39c [Anthony Corbacho] Adress review and fix typos eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful 6030776 [Anthony Corbacho] Handle security check fe380ab [Anthony Corbacho] Add webapp exception handler :) 21f9288 [Anthony Corbacho] Replace check of aninonimous by method 0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer) da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note 4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
darionyaphet
pushed a commit
to darionyaphet/zeppelin
that referenced
this pull request
Nov 4, 2016
### What is this PR for? Bring some security check in `NotebookRestApi`. ### What type of PR is it? [Bug Fix | Improvement | Refactoring] ### Todos - [x] - Create a proper way to throw webapp error - [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer - [x] - Add Authorization check in `NotebookRestapi` - [x] - Add New test for security in notebook rest api ### What is the Jira issue? - [ZEPPELIN-1586](https://issues.apache.org/jira/browse/ZEPPELIN-1586) ### How should this be tested? First, force Zeppelin to use auth. - In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to **false** ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` - In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` - Start Zeppelin, login and set some permission to a note - try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/{noteId}` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) ### Screenshots (if appropriate)  ### Questions: - Does the licenses files need update? No - Is there breaking changes for older versions? No - Does this needs documentation? Maybe Author: Anthony Corbacho <[email protected]> Closes apache#1567 from anthonycorbacho/fix/ZEPPELIN-1586 and squashes the following commits: 6615935 [Anthony Corbacho] Clean anonymous allowed property when shutting down zeppelin server 30815c1 [Anthony Corbacho] Fix typo bab7e60 [Anthony Corbacho] Rewording decd1e9 [Anthony Corbacho] Simple implementation of notebook test with shiro (security) b412266 [Anthony Corbacho] Refactored Abstract rest api test to also handle the case of tests with shiro (security), I also added some utility http method to do action with authenticated user db0c39c [Anthony Corbacho] Adress review and fix typos eacfa8e [Anthony Corbacho] Fix typo and bad copy paste for isOwner c8c42b2 [Anthony Corbacho] Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException ed404a4 [Anthony Corbacho] Rename permission check note :: be more meaningful 6030776 [Anthony Corbacho] Handle security check fe380ab [Anthony Corbacho] Add webapp exception handler :) 21f9288 [Anthony Corbacho] Replace check of aninonimous by method 0e4cc3c [Anthony Corbacho] Add new method to check if user and roles are member of the note (at least owner, reader, writer) da3415f [Anthony Corbacho] Add new method to help to determinate if user is part of writer and/or owner for the given note 4a43b07 [Anthony Corbacho] Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not
asfgit
pushed a commit
that referenced
this pull request
Nov 5, 2016
…main page ### What is this PR for? - Enables removing note and clear all paragraph's output from Zeppelin main page. - Add rest api for clearing all paragraph output Next possible improvement can be removing notes in folder level and rename folder. ### What type of PR is it? Improvement ### Todos * [x] - Merge #1567 and apply security to `clearAllParagraphOutput` rest api method ### What is the Jira issue? [ZEPPELIN-1564](https://issues.apache.org/jira/browse/ZEPPELIN-1564) ### Screenshots (if appropriate)  ### Questions: - Does the licenses files need update? no - Is there breaking changes for older versions? no - Does this needs documentation? yes Author: Mina Lee <[email protected]> Closes #1565 from minahlee/ZEPPELIN-1564 and squashes the following commits: 749aebe [Mina Lee] Merge branch 'master' of https://github.com/apache/zeppelin into ZEPPELIN-1564 1393ee9 [Mina Lee] Rename class name from UnauthorizedException to ForbiddenException Update clear output rest api doc response code 2ee452e [Mina Lee] Add auth check before clearing all paragraph fb7e6ae [Mina Lee] Merge branch 'master' of https://github.com/apache/zeppelin into ZEPPELIN-1564 f349dbf [Mina Lee] Change post to put 7eb3521 [Mina Lee] Give writer permission to clear output dea3ef6 [Mina Lee] Remove unused import d66600c [Mina Lee] Add rest api endpoint for clear paragraph result to document 3d19141 [Mina Lee] Add rest api for clear all paragraph result and add test 98d7604 [Mina Lee] Add clearAllParagraphOutput unit test 4adddb4 [Mina Lee] Clear all paragraphs and remove note from main page
1 task
asfgit
pushed a commit
that referenced
this pull request
Jan 11, 2017
### What is this PR for? After #1567 merged we can get/set note permission info for a certain note. But this info is not described in anywhere for now. So I added "Security" section under [docs/rest-api/rest-notebook.md](https://github.com/apache/zeppelin/blob/master/docs/rest-api/rest-notebook.md). And currently so many operations are placed under one section like below. <img src="https://cloud.githubusercontent.com/assets/10060731/21560964/c55d41cc-cea9-11e6-96ac-68f762c68bff.png" width="400px"> So I split them under each `Note opersions`, `Paragraph operations`, `Cron jobs`, and `Permission` section. <img src="https://cloud.githubusercontent.com/assets/10060731/21799253/ca3bc596-d75b-11e6-82e5-ba440c7f0713.png" width="400px"> ### What type of PR is it? Documentation ### What is the Jira issue? [ZEPPELIN-1877](https://issues.apache.org/jira/browse/ZEPPELIN-1877) ### How should this be tested? Please see the below screenshots :) ### Screenshots (if appropriate)   ### Questions: * Does the licenses files need update? no * Is there breaking changes for older versions? no * Does this needs documentation? no Author: AhyoungRyu <[email protected]> Closes #1825 from AhyoungRyu/ZEPPELIN-1586/docs and squashes the following commits: a8b6506 [AhyoungRyu] Change some operations' ordering based on CRUD 09d22d3 [AhyoungRyu] Add 'Security' section under notebook restapi docs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this PR for?
Bring some security check in
NotebookRestApi.What type of PR is it?
[Bug Fix | Improvement | Refactoring]
Todos
NotebookAuthorizationsome method to check if user is owner, reader or writerNotebookRestapiWhat is the Jira issue?
How should this be tested?
First, force Zeppelin to use auth.
In
conf/zeppelin-site.xmlchangezeppelin.anonymous.allowedto falseIn
conf/shiro.iniset Shiro to useAuthat the end of the fileStart Zeppelin, login and set some permission to a note
try to get a note from Zeppelin Rest Api
http://localhost:8080/api/notebook/{noteId}(you can use your browser or curl (if you use curl please add shiro token to curl cookie))Screenshots (if appropriate)
Questions: