You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by hayssams <gi...@git.apache.org> on 2015/12/31 18:56:09 UTC
[GitHub] incubator-zeppelin pull request: Shiro security v2
GitHub user hayssams opened a pull request:
https://github.com/apache/incubator-zeppelin/pull/586
Shiro security v2
Added Authentication.
Once authenticated, a user has access to all notes.
HTTP & Websocket channels are secured and require auth.
This PR is based on PR 53 which also implements user ownership on notes.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/ebiznext/incubator-zeppelin shiro-security-v2
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/incubator-zeppelin/pull/586.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #586
----
commit e2affca7b3423141be98fbca041257c5aa81a38d
Author: Hayssam Saleh <ha...@ebiznext.com>
Date: 2015-12-31T17:40:19Z
Securing the HTTP channel only.
Websocket security is done in the next commit
commit f9b1952a247ea8f55d1cf8270d61c615007b63e8
Author: Hayssam Saleh <ha...@ebiznext.com>
Date: 2015-12-31T17:41:49Z
The Websocket channel is now as secure as the HTTP channel.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169542005
@hayssams Great to see CI test passing!
You'll also need to update https://github.com/apache/incubator-zeppelin/blob/master/zeppelin-distribution/src/bin_license/LICENSE for `shiro-core` and `shiro-web` dependency introduced by this PR.
And could you explain little bit about how `zeppelin.anonymous.allowed` in zeppelin-site.xml will be different from `/** = anon` in shiro.ini? Can we have only single configuration for anonymous mode?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168474853
@hayssams Thanks for the v2 branch.
I'm having some error with zeppelin-web [development mode](https://github.com/apache/incubator-zeppelin/blob/master/zeppelin-web/README.md#configured-environment)
could you take a look?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169795246
@Leemoonsoo
Since we are in a WS context, we can't rely on Shiro to check the auth mode (anon versus authc).
However I can manage from the WS context to load the shiro.ini from the classpath without relying on shiro to get the auth mode.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169087860
@hayssams Thanks, confirmed the last commit made zeppelin-web dev mode work. However, if shiro.ini is configured to use authcBasic, zeppelin-web dev mode still does not correctly. Could you take a look once again?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168367355
@jeffsteinmetz
Solved the two issues you raised.
Issue 1 : Corrected the instructions in security-readme.md
Issue 2 : Welcome page is now correctly displayed.
Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169270938
@Leemoonsoo
Made anonymous the default user for websocket message to make test pass.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168367611
@anthonycorbacho
#### Question 1 : What's the purpose of ticket ?
I added an implementation note in the security-readme file. It explains why we need a ticket to handle webscoket connections. Basically, it works as follows :
1. Shiro sits as a servlet filter and protect HTTP requests. That's enough to secure HTTP REST requests.
2. To secure web sockets connections, we make sure that the user submitted the right credentials on the HTTP REST channel. We do this by issuing a ticket on the HTTP channel (/ticket method) that the browser must submit with each websocket message.
#### Question 2 : Ticket saved in notebook ?
In this PR( #586) Principal and ticket are not saved in the notebook.
#### Question 3 : What will happen if switching from secure to non secure version and vice-versa
In this PR( #586). It will work as expected since no change is made to the notebook structure.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169941061
@hayssams Thanks for explain about auth mode.
Really appreciate for this great contribution and such a long patience. I think this is really good first step toward multi-user support.
Looks good to me
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by elbamos <gi...@git.apache.org>.
Github user elbamos commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168235446
@hayssams Can you provide step-by-step directions for configuring and using this?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168603904
@jeffsteinmetz
ssl[port] forces SSL on a URL. In order for this to work, jetty must listen on a SSL port.
I think that it would be better to leave this responsibility to a front end web server or appliance.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by jeffsteinmetz <gi...@git.apache.org>.
Github user jeffsteinmetz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168262713
I tested this PR, and it does ask for basic auth credentials after setting up `conf/shiro.ini` and setting `zeppelin.anonymous.allowed` to `false`.
However, after login, it does not show the Zeppelin welcome page as expected. (you can however navigate to specific notebooks).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by jeffsteinmetz <gi...@git.apache.org>.
Github user jeffsteinmetz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168426954
Confirmed: Welcome page is now correctly displayed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169953798
@Leemoonsoo
Great news. I had great pleasure working on it and take into account all your remarks.
I'll now start to write down a proposal on how Zeppelin could handle authorizations throughApache Shiro (ZEPPELIN-549).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by jeffsteinmetz <gi...@git.apache.org>.
Github user jeffsteinmetz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168604854
@hayssams Makes sense. I could give the SSL redirect a test, and use the SSL support already exposed by Zeppelin.
Thank you for the follow up.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by anthonycorbacho <gi...@git.apache.org>.
Github user anthonycorbacho commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168282745
What is the purpose of ticket? And why do you save principal and ticket in the notebook?
What will happen to my notebook if i have zeppelin and update to use it with shiro and viseversa?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-170260075
Merge if there're no more discussions
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168738915
@Leemoonsoo
Just pushed the code. Now using the baseUrlSrv on bootstrap.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by Leemoonsoo <gi...@git.apache.org>.
Github user Leemoonsoo commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169232701
@hayssams Thanks, zeppelin-web dev mode works well.
About CI build,
```
Failed tests:
NotebookServerTest.testMakeSureNoAngularObjectBroadcastToWebsocketWhoFireTheEvent:134
Wanted but not invoked:
notebookSocket.send(<any>);
-> at org.apache.zeppelin.socket.NotebookServerTest.testMakeSureNoAngularObjectBroadcastToWebsocketWhoFireTheEvent(NotebookServerTest.java:134)
Actually, there were zero interactions with this mock.
```
Do you see any reason for the failing?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by jeffsteinmetz <gi...@git.apache.org>.
Github user jeffsteinmetz commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168427010
Follow up question: Is it the responsibility of shiro to redirect to SSL so that the basic auth is not sent in the clear?
I saw shiro this example:
`/** = ssl,authcBasic`
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-170264313
@Leemoonsoo
I guess that someone with write access will merge it.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168236215
@elbamos
#### Step 1: Require HTTP Auth
In conf/shiro.ini file, replace the lines 31 and 32 below
```
/** = anon
#/** = authcBasic
```
by
```
#/** = anon
/** = authcBasic
```
#### Step 2: Secure the Websocket channel
Rename the conf/zeppelin-site.xml.template to conf/zeppelin-site.xml.
The property that does it all is the following one :
```
<property>
<name>zeppelin.anonymous.allowed</name>
<value>false</value>
<description>Anonymous user allowed by default</description>
</property>
```
#### Step 3: Start Zeppelin and Authenticate
To authenticate, use one of the user/password set in the cons/shiro.ini file. See below
```
admin = password1
user1 = password2
user2 = password3
```
I've also included a SECURITY-README file in the PR.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/incubator-zeppelin/pull/586
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168604520
@Leemoonsoo
I could not reproduce.
The 404 means that jetty could not start correctly or is not listening on that port.
What is the error raised at the line below in the ZeppelinServer.java.
```
try {
jettyWebServer.start(); //Instantiates ZeppelinServer
} catch (Exception e) {
LOG.error("Error while running jettyServer", e);
System.exit(-1);
}
```
P.S. I am using ```mvn exec:java ...``` to start in dev mode
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-169160123
@Leemoonsoo
Added support for cross site requests with credentials
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] incubator-zeppelin pull request: Shiro security v2
Posted by hayssams <gi...@git.apache.org>.
Github user hayssams commented on the pull request:
https://github.com/apache/incubator-zeppelin/pull/586#issuecomment-168605316
@Leemoonsoo
Just saw you are talking about the web dev mode not the server dev mode. I am looking at your issue
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---