You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by co...@apache.org on 2016/06/10 01:47:51 UTC
zeppelin git commit: [ZEPPELIN-939] Improve notebook authorization
documentation
Repository: zeppelin
Updated Branches:
refs/heads/master 96dbc6656 -> 8553a0880
[ZEPPELIN-939] Improve notebook authorization documentation
### What is this PR for?
Currently Zeppelin provides authorization mechanism on each notebooks. But it seems many users can not get much useful information through [the existing notebook authorization docs](https://zeppelin.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/notebook_authorization.html). So I add some information so that users can follow step by step.
Moreover, [interpreter authorization docs](https://zeppelin.apache.org/docs/0.6.0-incubating-SNAPSHOT/security/interpreter_authorization.html) doesn't provide much information so far. This can be confused to users. So I removed it temporally. We can add it again when we have specific(?) feature for `interpreter & data source authorization`.
### What type of PR is it?
Improvement | Documentation
### Todos
* [x] - Remove security_overview.md & interpreter_authorization.md
* [x] - Improve notebook authorization docs
### What is the Jira issue?
[ZEPPELIN-939](https://issues.apache.org/jira/browse/ZEPPELIN-939)
### How should this be tested?
### Screenshots (if appropriate)
- **Before**
<img width="1107" alt="screen shot 2016-06-01 at 5 46 22 pm" src="https://cloud.githubusercontent.com/assets/10060731/15730358/cf8074ec-2820-11e6-8e55-d0552896d95d.png">
- **After**
<img width="1030" alt="screen shot 2016-06-01 at 5 48 17 pm" src="https://cloud.githubusercontent.com/assets/10060731/15730384/1b6c8a08-2821-11e6-89ae-7d054ec87c57.png">
<img width="1007" alt="screen shot 2016-06-01 at 5 48 31 pm" src="https://cloud.githubusercontent.com/assets/10060731/15730386/1ea6e42a-2821-11e6-9630-da2ca67970f0.png">
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No
Author: AhyoungRyu <fb...@hanmail.net>
Closes #947 from AhyoungRyu/ZEPPELIN-939 and squashes the following commits:
e63af10 [AhyoungRyu] Revert interpreter_authorization.md
6438cc2 [AhyoungRyu] Improve notebook authorization documentation
6e1c1b3 [AhyoungRyu] Remove deleted file list in navbar
26f77d0 [AhyoungRyu] Remove security_overview.md & interpreter_authorization.md
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/8553a088
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/8553a088
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/8553a088
Branch: refs/heads/master
Commit: 8553a08803400d6165e72071170157234f15402f
Parents: 96dbc66
Author: AhyoungRyu <fb...@hanmail.net>
Authored: Sat Jun 4 11:10:46 2016 -0700
Committer: Damien CORNEAU <co...@gmail.com>
Committed: Fri Jun 10 10:47:35 2016 +0900
----------------------------------------------------------------------
docs/_includes/themes/zeppelin/_navigation.html | 1 -
.../img/docs-img/insufficient_privileges.png | Bin 0 -> 133718 bytes
.../img/docs-img/permission_setting.png | Bin 0 -> 192905 bytes
docs/security/interpreter_authorization.md | 2 +-
docs/security/notebook_authorization.md | 44 +++++++++++++------
docs/security/overview.md | 28 ------------
6 files changed, 32 insertions(+), 43 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/8553a088/docs/_includes/themes/zeppelin/_navigation.html
----------------------------------------------------------------------
diff --git a/docs/_includes/themes/zeppelin/_navigation.html b/docs/_includes/themes/zeppelin/_navigation.html
index 179ede8..0a54a94 100644
--- a/docs/_includes/themes/zeppelin/_navigation.html
+++ b/docs/_includes/themes/zeppelin/_navigation.html
@@ -93,7 +93,6 @@
<li><a href="{{BASE_PATH}}/rest-api/rest-configuration.html">Configuration API</a></li>
<li role="separator" class="divider"></li>
<!-- li><span><b>Security</b><span></li -->
- <li><a href="{{BASE_PATH}}/security/overview.html">Security Overview</a></li>
<li><a href="{{BASE_PATH}}/security/authentication.html">Authentication for NGINX</a></li>
<li><a href="{{BASE_PATH}}/security/shiroauthentication.html">Shiro Authentication</a></li>
<li><a href="{{BASE_PATH}}/security/notebook_authorization.html">Notebook Authorization</a></li>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/8553a088/docs/assets/themes/zeppelin/img/docs-img/insufficient_privileges.png
----------------------------------------------------------------------
diff --git a/docs/assets/themes/zeppelin/img/docs-img/insufficient_privileges.png b/docs/assets/themes/zeppelin/img/docs-img/insufficient_privileges.png
new file mode 100644
index 0000000..80d80f5
Binary files /dev/null and b/docs/assets/themes/zeppelin/img/docs-img/insufficient_privileges.png differ
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/8553a088/docs/assets/themes/zeppelin/img/docs-img/permission_setting.png
----------------------------------------------------------------------
diff --git a/docs/assets/themes/zeppelin/img/docs-img/permission_setting.png b/docs/assets/themes/zeppelin/img/docs-img/permission_setting.png
new file mode 100644
index 0000000..ed80941
Binary files /dev/null and b/docs/assets/themes/zeppelin/img/docs-img/permission_setting.png differ
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/8553a088/docs/security/interpreter_authorization.md
----------------------------------------------------------------------
diff --git a/docs/security/interpreter_authorization.md b/docs/security/interpreter_authorization.md
index d6c48b2..3809cd4 100644
--- a/docs/security/interpreter_authorization.md
+++ b/docs/security/interpreter_authorization.md
@@ -33,4 +33,4 @@ The interpret method takes the user string as parameter and executes the jdbc ca
In case of Presto, we don't need password if the Presto DB server runs backend code using HDFS authorization for the user.
For databases like Vertica and Mysql we have to store password information for users.
-The Credentials tab in the navbar allows users to save credentials for data sources which are passed to interpreters.
\ No newline at end of file
+The Credentials tab in the navbar allows users to save credentials for data sources which are passed to interpreters.
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/8553a088/docs/security/notebook_authorization.md
----------------------------------------------------------------------
diff --git a/docs/security/notebook_authorization.md b/docs/security/notebook_authorization.md
index aafe060..34888ea 100644
--- a/docs/security/notebook_authorization.md
+++ b/docs/security/notebook_authorization.md
@@ -17,21 +17,39 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
-# Notebook Authorization
+# Zeppelin Notebook Authorization
-We assume that there is an authentication component that associates a user string and a set of group strings with every NotebookSocket.
+We assume that there is an **Shiro Authentication** component that associates a user string and a set of group strings with every NotebookSocket.
+If you don't set the authentication components yet, please check [Shiro authentication for Apache Zeppelin](./shiroauthentication.html) first.
-Each note has the following:
-* set of owner entities (users or groups)
-* set of reader entities (users or groups)
-* set of writer entities (users or groups)
+## Authorization Setting
+You can set Zeppelin notebook permissions in each notebooks. Of course only **notebook owners** can change this configuration.
+Just click **Lock icon** and open the permission setting page in your notebook.
-If a set is empty, it means that any user can perform that operation.
+As you can see, each Zeppelin notebooks has 3 entities :
-The NotebookServer classifies every Note operation into three categories: read, write, manage.
-Before executing a Note operation, it checks if the user and the groups associated with the NotebookSocket have permissions. For example, before executing an read
-operation, it checks if the user and the groups have at least one entity that belongs to the reader entities.
+* Owners ( users or groups )
+* Readers ( users or groups )
+* Writers ( users or groups )
-To initialize and modify note permissions, we provide UI like "Interpreter binding". The user inputs comma separated entities for owners, readers and writers.
-We execute a rest api call with this information. In the backend we get the user information for the connection and allow the operation if the user and groups
-associated with the current user have at least one entity that belongs to owner entities for the note.
+<center><img src="../assets/themes/zeppelin/img/docs-img/permission_setting.png"></center>
+
+Fill out the each forms with comma seperated **users** and **groups** configured in `conf/shiro.ini` file.
+If the form is empty (*), it means that any users can perform that operation.
+
+If someone who doesn't have **read** permission is trying to access the notebook or someone who doesn't have **write** permission is trying to edit the notebook, Zeppelin will ask to login or block the user.
+
+<center><img src="../assets/themes/zeppelin/img/docs-img/insufficient_privileges.png"></center>
+
+## How it works
+In this section, we will explain the detail about how the notebook authorization works in backend side.
+
+#### NotebookServer
+The [NotebookServer](https://github.com/apache/incubator-zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookServer.java) classifies every notebook operations into three categories: **Read**, **Write**, **Manage**.
+Before executing a notebook operation, it checks if the user and the groups associated with the `NotebookSocket` have permissions.
+For example, before executing a **Read** operation, it checks if the user and the groups have at least one entity that belongs to the **Reader** entities.
+
+#### Notebook REST API call
+Zeppelin executes a [REST API call](https://github.com/apache/incubator-zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/NotebookRestApi.java) for the notebook permission information.
+In the backend side, Zeppelin gets the user information for the connection and allows the operation if the users and groups
+associated with the current user have at least one entity that belongs to owner entities for the notebook.
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/8553a088/docs/security/overview.md
----------------------------------------------------------------------
diff --git a/docs/security/overview.md b/docs/security/overview.md
deleted file mode 100644
index e76410d..0000000
--- a/docs/security/overview.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-layout: page
-title: "Security Overview"
-description: "Security Overview"
-group: security
----
-<!--
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-{% include JB/setup %}
-
-# Security Overview
-
-There are three aspects to Zeppelin security:
-
-* Authentication: is the user who they say they are? [More](authentication.html)
-* Notebook authorization: does the user have permissions to read or write to a note? [More](notebook_authorization.html)
-* Interpreter and data source authorization: does the user have permissions to perform interpreter operations or access data source objects? [More](interpreter_authorization.html)