[ZEPPELIN-1718] Prevent anonymous user to set note permission

[AhyoungRyu]

What is this PR for?

Currently anonymous user can open the notebook permission page and type sth in Owner/ Reader / Writer and then even can save it. However, in fact, it doesn't work actually.

e.g. An anonymous user can type admin / user1 to the note permission setting fields.

It doesn't make sense. At least we should disallow the non-authenticated users(a.k.a anonymous users) by deactivating those permission related features(will handle interpreter owner setting in another PR). So what I did in this PR is

• Block opening notebook permission setting page \w notebook rest api & add related docs link: https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/notebook_authorization.html

TODO

• Fix test case

What type of PR is it?

Bug Fix | Improvement

What is the Jira issue?

ZEPPELIN-1718

How should this be tested?

1. Don't activate shiro authentication
2. Open any notes
3. Click lock icon in the top of the note -> warning dialog will be shown \w "Only authenticated user can set the permission." sentence

Screenshots (if appropriate)

• Doesn't show note permission setting page & show warning dialog if anonymous user tries to click lock icon
  

Questions:

• Does the licenses files need update? no
• Is there breaking changes for older versions? no
• Does this needs documentation? no

[prabhjyotsingh]

Haven't tried it yet, but IMO we should have a check at backned for the same (both API and websocket).

[cloverhearts]

It is a cool feature.
I would like to say one thing.
If you need to prevent configuration changes for anonymous users,
you should not modify them only in the Web UI.

https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java#L112

https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java#L134

https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java # L165

Web ui can be manipulated very easily by the user, so we think that we need to modify the above restful api additionally.

[AhyoungRyu]

@prabhjyotsingh @cloverhearts Didn't think about that way. It makes sense. Thanks for your suggestion. Let me update then :)

[astroshim]

It's working well but I agree with @prabhjyotsingh and @cloverhearts blocking to change the permission on a backend side too.

[AhyoungRyu]

@prabhjyotsingh @cloverhearts @astroshim Sorry for my late response.
I added checking anonymous user using notebook rest api. So if anonymous users try to click lock icon / GET note permission setting info using url (e.g. http://http://localhost:8080/api/notebook/2C5QFHKYM/permissions), then 403 forbidden error will be shown. I updated PR description \w new UI screenshot image accordingly. Please take a look :)

And if you guys don't mind, will handle blocking interpreter owner setting part by anon user in other PR.

[AhyoungRyu]

CI is all green now! Ready to review.
Here are some brief summaries what I did.

Since from this PR anonymous(non authenticated) user can't set note permission, related test cases also need to be updated accordingly. Currently we have two test cases which check note permission as anonymous user.

• testPermissions() in NotebookRestApiTest.java added by Notebook Authorization #681
• testSearch() in ZeppelinRestApiTest.java added by [ZEPPELIN-705]Search should aware notebook permission #833

So I rewrote them based on #1567's NotebookSecurityRestApiTest.java to be tested as authenticated users.

[AhyoungRyu]

Can someone review this one? 🎅🏼

[prabhjyotsingh]

Tested, works as expectation. LGTM!

[AhyoungRyu]

@prabhjyotsingh Thanks! :D

[AhyoungRyu]

Will merge this into master if there are no more comments!

[Leemoonsoo]

After this patch, if i turn off shiro and load any notebook (without click permission button)

browser console print 403 forbidden,

And ZeppelinServer prints stack trace

WARN [2017-01-01 12:03:26,784] ({qtp106298691-16} WebApplicationExceptionMapper.java[toResponse]:73) - org.apache.zeppelin.rest.exception.ForbiddenException
	at org.apache.zeppelin.rest.NotebookRestApi.checkIfUserIsAnon(NotebookRestApi.java:133)
	at org.apache.zeppelin.rest.NotebookRestApi.getNotePermissions(NotebookRestApi.java:98)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:205)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:102)
	at 

Can we try not print error / warning on loading notebook ?

[cloverhearts]

@Leemoonsoo #1821
I was fixed that issue.

[RoxanaTapia]

Hi,
I'm experiencing this issue but with shiro activated. I want the "Note Permissions" button to be activated only for authorized users (e.g. admins). Right now any user can access, change and save the configs under "Note Permissions", so that they can edit notebooks.

[AhyoungRyu]

@RoxanaTapia Could you file a Jira issue here https://issues.apache.org/jira/projects/ZEPPELIN so that it can be tracked & handled separately ? Once a patch is merged, can't be opened again or tracked anymore.

[RoxanaTapia]

@AhyoungRyu Thanks for the quick response, here is the JIRA ticket link https://issues.apache.org/jira/browse/ZEPPELIN-3133

[RoxanaTapia]

@AhyoungRyu I'm still experiencing this issue, any idea how can I patch it, using credentials or roles?

[BigDataDataAnalyst]

@AhyoungRyu
I am facing the same issue which was reported earlier by @RoxanaTapia with Zeppelin Notebook Authorisation(with Shiro Enabled).

Here is the JIRA ticket link.
https://issues.apache.org/jira/browse/ZEPPELIN-3133

It would be great if you could throw some insights on options if any available to get-around with this issue