You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by Adam Binford <ad...@gmail.com> on 2021/02/14 22:25:54 UTC
Knox Notebook Authorization
Hi all, new Zeppelin user here. I started playing around with it to see how
it compares to using Spark Magic for access to a secure hadoop cluster. I
liked the native Spark cluster mode and the integration with Knox as an SSO
mechanism provided a great user experience. I was a little confused though
when the Notebook reader/runner/writer authorizations didn't seem to be
working with groups. I dug into the code and realized it's because while
the URL authorizations I assume are more natively integrated with Shiro,
the notebook authorizations are more custom.
I apologize if I made any bad assumptions or have anything wrong here, I've
only been working with Zeppelin for a week!
The current logic seems something like:
- Get user name and all user roles
- Get all notebook entities (for one of writer, reader, etc.)
- Find intersection between these two lists
I see the main limitation here is that Shiro doesn't natively support "Get
all roles for user", so it's kinda worked around in
ShiroAuthenticationService.getAssociatedRoles, which only handles specific
realms.
I'm attempting to add the Knox realm as a special case to that method to
get things working in the short term, I can create a ticket and PR when I
get that working if that would be helpful to others.
Longer term, and without very intimate knowledge of zeppelin or how some of
these decisions were made originally, would it make sense to try to update
the Notebook authorization flow to something like:
- Get all notebook entities
- For each entity, check if user has that name/role
So that it could be more natively supported by Shiro. I have no idea what
the lift would be for that, but figured I'd bring it up and see if there
were any reasons that it wasn't done in the first place.
--
Adam
Re: Knox Notebook Authorization
Posted by Jongyoul Lee <jo...@gmail.com>.
Hello,
Personally, I added some code to integrate another AA engine with some
settings but it's very the beginning stage so we need to implement a new AA
engine. Anyway, it's possible to replace the current shiro. :-)
2021년 2월 15일 (월) 오전 10:38, Jeff Zhang <zj...@gmail.com>님이 작성:
> Hi Adam,
>
> You are right that zeppelin only use shiro for authentication, but not for
> authorization. All the notebook authorization info is stored in custom json
> file [1] instead of shiro's backend storage. These shiro part is
> implemented very long time ago, I also don't know the original design
> purpose. But I think It would be super helpful if you can help on that to
> unify the authentication and authorization via shiro.
>
> [1]
>
> https://github.com/apache/zeppelin/blob/master/zeppelin-zengine/src/main/java/org/apache/zeppelin/storage/LocalConfigStorage.java#L69
>
>
>
>
> Adam Binford <ad...@gmail.com> 于2021年2月15日周一 上午6:26写道:
>
> > Hi all, new Zeppelin user here. I started playing around with it to see
> how
> > it compares to using Spark Magic for access to a secure hadoop cluster. I
> > liked the native Spark cluster mode and the integration with Knox as an
> SSO
> > mechanism provided a great user experience. I was a little confused
> though
> > when the Notebook reader/runner/writer authorizations didn't seem to be
> > working with groups. I dug into the code and realized it's because while
> > the URL authorizations I assume are more natively integrated with Shiro,
> > the notebook authorizations are more custom.
> >
> > I apologize if I made any bad assumptions or have anything wrong here,
> I've
> > only been working with Zeppelin for a week!
> >
> > The current logic seems something like:
> > - Get user name and all user roles
> > - Get all notebook entities (for one of writer, reader, etc.)
> > - Find intersection between these two lists
> >
> > I see the main limitation here is that Shiro doesn't natively support
> "Get
> > all roles for user", so it's kinda worked around in
> > ShiroAuthenticationService.getAssociatedRoles, which only handles
> specific
> > realms.
> >
> > I'm attempting to add the Knox realm as a special case to that method to
> > get things working in the short term, I can create a ticket and PR when I
> > get that working if that would be helpful to others.
> >
> > Longer term, and without very intimate knowledge of zeppelin or how some
> of
> > these decisions were made originally, would it make sense to try to
> update
> > the Notebook authorization flow to something like:
> > - Get all notebook entities
> > - For each entity, check if user has that name/role
> >
> > So that it could be more natively supported by Shiro. I have no idea what
> > the lift would be for that, but figured I'd bring it up and see if there
> > were any reasons that it wasn't done in the first place.
> >
> > --
> > Adam
> >
>
>
> --
> Best Regards
>
> Jeff Zhang
>
--
이종열, Jongyoul Lee, 李宗烈
http://madeng.net
Re: Knox Notebook Authorization
Posted by Jeff Zhang <zj...@gmail.com>.
Hi Adam,
You are right that zeppelin only use shiro for authentication, but not for
authorization. All the notebook authorization info is stored in custom json
file [1] instead of shiro's backend storage. These shiro part is
implemented very long time ago, I also don't know the original design
purpose. But I think It would be super helpful if you can help on that to
unify the authentication and authorization via shiro.
[1]
https://github.com/apache/zeppelin/blob/master/zeppelin-zengine/src/main/java/org/apache/zeppelin/storage/LocalConfigStorage.java#L69
Adam Binford <ad...@gmail.com> 于2021年2月15日周一 上午6:26写道:
> Hi all, new Zeppelin user here. I started playing around with it to see how
> it compares to using Spark Magic for access to a secure hadoop cluster. I
> liked the native Spark cluster mode and the integration with Knox as an SSO
> mechanism provided a great user experience. I was a little confused though
> when the Notebook reader/runner/writer authorizations didn't seem to be
> working with groups. I dug into the code and realized it's because while
> the URL authorizations I assume are more natively integrated with Shiro,
> the notebook authorizations are more custom.
>
> I apologize if I made any bad assumptions or have anything wrong here, I've
> only been working with Zeppelin for a week!
>
> The current logic seems something like:
> - Get user name and all user roles
> - Get all notebook entities (for one of writer, reader, etc.)
> - Find intersection between these two lists
>
> I see the main limitation here is that Shiro doesn't natively support "Get
> all roles for user", so it's kinda worked around in
> ShiroAuthenticationService.getAssociatedRoles, which only handles specific
> realms.
>
> I'm attempting to add the Knox realm as a special case to that method to
> get things working in the short term, I can create a ticket and PR when I
> get that working if that would be helpful to others.
>
> Longer term, and without very intimate knowledge of zeppelin or how some of
> these decisions were made originally, would it make sense to try to update
> the Notebook authorization flow to something like:
> - Get all notebook entities
> - For each entity, check if user has that name/role
>
> So that it could be more natively supported by Shiro. I have no idea what
> the lift would be for that, but figured I'd bring it up and see if there
> were any reasons that it wasn't done in the first place.
>
> --
> Adam
>
--
Best Regards
Jeff Zhang