You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Eric Charles (JIRA)" <ji...@apache.org> on 2015/07/31 17:37:05 UTC

[jira] [Created] (ZEPPELIN-193) Kerberos (SPNEGO) Support

Eric Charles created ZEPPELIN-193:
-------------------------------------

             Summary: Kerberos (SPNEGO) Support
                 Key: ZEPPELIN-193
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-193
             Project: Zeppelin
          Issue Type: New Feature
          Components: GUI
    Affects Versions: 0.5.1
            Reporter: Eric Charles
             Fix For: 0.5.1


The goal is to restrict WEB access to users being previoulsy authenticated by a Kerberos server (so having a valid Kerberos Ticket).

I will submit a PR which implements a filter (from hadoop-auth jar) in case a new configuration key zeppelin.security.authentication is set to kerberos.

I will also add session management to maintain the set of authenticated users. This is needed to ensure the websocket is also secured.

This is related to:
- ZEPPELIN-173 (Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking)
- ZEPPELIN-113 (Provide HTTP Keep Alive for Web and Web Sockets)

I will try to rely on  ZEPPELIN-172 (Websocket connection without separate port) as it may be easier to secure a single webapp managed by jetty.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)