You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by zj...@apache.org on 2020/07/06 02:20:38 UTC
[zeppelin] branch branch-0.9 updated: [ZEPPELIN-4930]. User can
restart interpreter in notebook without running permissions
This is an automated email from the ASF dual-hosted git repository.
zjffdu pushed a commit to branch branch-0.9
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/branch-0.9 by this push:
new 627185f [ZEPPELIN-4930]. User can restart interpreter in notebook without running permissions
627185f is described below
commit 627185f5aea0040de3c36d8148d55efad64ab05a
Author: Jeff Zhang <zj...@apache.org>
AuthorDate: Wed Jul 1 22:06:22 2020 +0800
[ZEPPELIN-4930]. User can restart interpreter in notebook without running permissions
### What is this PR for?
Before this PR, you can restart the interpreter in note page even if you don't have run permission. This PR would check the permission before restarting interpreter.
### What type of PR is it?
[Bug Fix]
### Todos
* [ ] - Task
### What is the Jira issue?
* https://issues.apache.org/jira/browse/ZEPPELIN-4930
### How should this be tested?
* Manually tested
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No
Author: Jeff Zhang <zj...@apache.org>
Closes #3836 from zjffdu/ZEPPELIN-4930 and squashes the following commits:
444a06063 [Jeff Zhang] [ZEPPELIN-4930]. User can restart interpreter in notebook without running permissions
(cherry picked from commit 58e074b6bc19a5c8184717a6644f05763e8a2d14)
Signed-off-by: Jeff Zhang <zj...@apache.org>
---
.../apache/zeppelin/rest/InterpreterRestApi.java | 24 +++++++++++++++++++---
.../zeppelin/notebook/AuthorizationService.java | 2 +-
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java
index f8475d6..36ec1bd 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/InterpreterRestApi.java
@@ -28,6 +28,7 @@ import org.apache.zeppelin.interpreter.InterpreterException;
import org.apache.zeppelin.interpreter.InterpreterPropertyType;
import org.apache.zeppelin.interpreter.InterpreterSetting;
import org.apache.zeppelin.interpreter.InterpreterSettingManager;
+import org.apache.zeppelin.notebook.AuthorizationService;
import org.apache.zeppelin.notebook.socket.Message;
import org.apache.zeppelin.notebook.socket.Message.OP;
import org.apache.zeppelin.rest.message.InterpreterInstallationRequest;
@@ -55,8 +56,10 @@ import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import java.io.IOException;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
/**
* Interpreter Rest API.
@@ -69,6 +72,7 @@ public class InterpreterRestApi {
private static final Logger logger = LoggerFactory.getLogger(InterpreterRestApi.class);
private final AuthenticationService authenticationService;
+ private final AuthorizationService authorizationService;
private final InterpreterService interpreterService;
private final InterpreterSettingManager interpreterSettingManager;
private final NotebookServer notebookServer;
@@ -76,10 +80,12 @@ public class InterpreterRestApi {
@Inject
public InterpreterRestApi(
AuthenticationService authenticationService,
+ AuthorizationService authorizationService,
InterpreterService interpreterService,
InterpreterSettingManager interpreterSettingManager,
NotebookServer notebookWsServer) {
this.authenticationService = authenticationService;
+ this.authorizationService = authorizationService;
this.interpreterService = interpreterService;
this.interpreterSettingManager = interpreterSettingManager;
this.notebookServer = notebookWsServer;
@@ -201,10 +207,22 @@ public class InterpreterRestApi {
if (null == noteId) {
interpreterSettingManager.close(settingId);
} else {
- interpreterSettingManager.restart(settingId,
- new ExecutionContextBuilder().setUser(authenticationService.getPrincipal()).setNoteId(noteId).createExecutionContext());
+ Set<String> entities = new HashSet<>();
+ entities.add(authenticationService.getPrincipal());
+ entities.addAll(authenticationService.getAssociatedRoles());
+ if (authorizationService.hasRunPermission(entities, noteId) ||
+ authorizationService.hasWritePermission(entities, noteId) ||
+ authorizationService.isOwner(entities, noteId)) {
+ interpreterSettingManager.restart(settingId,
+ new ExecutionContextBuilder()
+ .setUser(authenticationService.getPrincipal())
+ .setNoteId(noteId)
+ .createExecutionContext());
+ } else {
+ return new JsonResponse<>(Status.FORBIDDEN, "No privilege to restart interpreter")
+ .build();
+ }
}
-
} catch (InterpreterException e) {
logger.error("Exception in InterpreterRestApi while restartSetting ", e);
return new JsonResponse<>(Status.NOT_FOUND, e.getMessage(), ExceptionUtils.getStackTrace(e))
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/AuthorizationService.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/AuthorizationService.java
index ecdafe2..8272c6d 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/AuthorizationService.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/AuthorizationService.java
@@ -342,7 +342,7 @@ public class AuthorizationService implements ClusterEventListener {
if (userAndRoles == null) {
return false;
}
- return isReader(noteId, userAndRoles);
+ return isRunner(noteId, userAndRoles);
}
public boolean isPublic() {