You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@zeppelin.apache.org by Prasad Wagle <pr...@gmail.com> on 2016/01/29 05:30:39 UTC
Notebook Authorization Design
Hi,
My team has implemented Notebook authorization using the approach described
in the design document here
<https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and would like
to get feedback from the community. It would be great if we could reach
agreement on the high-level design before we work on a pull request.
Thanks,
Prasad
Re: Notebook Authorization Design
Posted by Prasad Wagle <pr...@gmail.com>.
I have completed all the Todos in the pull request
https://github.com/apache/incubator-zeppelin/pull/681 except: "Find way to
get roles for a user in SecurityUtils (see SHIRO-492)". I am curious to
know what people think of the approach I have taken with Shiro
authorization and would appreciate any suggestions on how to implement
SecurityUtils.getRoles.
Thanks,
Prasad
On Tue, Feb 2, 2016 at 5:07 AM, Eric Charles <er...@apache.org> wrote:
> (see my answers inline)
>
> On 01/02/16 20:18, Prasad Wagle wrote:
>
>> Thanks Moon and Eric. I created a pull request -
>> https://github.com/apache/incubator-zeppelin/pull/681 and am looking
>> forward to community feedback.
>>
>> I am getting a Travis CI build error
>> <https://travis-ci.org/apache/incubator-zeppelin/builds/106159585>. Is
>> it caused by the code in this PR? Can someone help me find the root
>> cause? Btw, do we have a chat room (like gitter) for discussing Zeppelin
>> topics?
>>
>> Hi Eric - Here are my responses to your questions. Sorry if I didn't
>> understand them correctly.
>>
>> > I read you will use an external server for authentication which will
>> redirect to a zeppelin server url.
>> Yes, we need to do that in our company environment. In my PR, I use
>> Shiro authentication.
>>
>>
> Thx for the info.
>
> > I wonder if you pull request will support multiple user for a single
>> server or if, just like now, we need a server deployment by user (with
>> all the fun with the http ports...) ? (this is not defined in your
>> document)
>>
>> What do you mean by "server deployment by user"? Doesn't Shiro
>> authentication support multiple users on a single server?
>>
>>
> I was thinking to some completely separated environments (notes workspace,
> interpreters settings/bindings...) by user.
>
> For now, every authenticated user on the zeppelin-server sees the changes
> that other users are doing (changes in the interpreter settings, stop/start
> of the interpreter, changes in a paragraph of a note...).
>
> But I get your idea and it makes sense to me to introduce this step.
>
>
>
>> Regards,
>> Prasad
>>
>>
>> On Sun, Jan 31, 2016 at 1:38 AM, Eric Charles <eric@apache.org
>> <ma...@apache.org>> wrote:
>>
>> Very nice doc!
>>
>> I read you will use an external server for authentication which will
>> redirect to a zeppelin server url.
>>
>> I wonder if you pull request will support multiple user for a single
>> server or if, just like now, we need a server deployment by user
>> (with all the fun with the http ports...) ? (this is not defined in
>> your document)
>>
>> On 31/01/16 01:57, moon soo Lee wrote:
>>
>> Thanks Prasad for sharing the design document.
>> I think your document really nicely defined authorization in
>> Zeppelin
>> and I think your approach for Notebook Authorization really make
>> sense.
>>
>> Like DuyHai mentioned, Zeppelin uses Shiro for authentication. If
>> authorization can works smoothly with Shiro, that would be great.
>>
>> Thanks again for sharing nice documentation. And looking forward
>> to a
>> pull request.
>>
>> Best,
>> moon
>>
>> On Fri, Jan 29, 2016 at 7:57 PM DuyHai Doan
>> <doanduyhai@gmail.com <ma...@gmail.com>
>> <mailto:doanduyhai@gmail.com <ma...@gmail.com>>>
>> wrote:
>>
>> Have you look at the commit done by hayssams for Apache Shiro
>> integration with Zeppelin ?
>> https://github.com/apache/incubator-zeppelin/pull/586 ?
>>
>> There is also a JIRA to implement authorization on notes:
>> https://issues.apache.org/jira/browse/ZEPPELIN-549
>>
>> On Fri, Jan 29, 2016 at 5:30 AM, Prasad Wagle
>> <prasadwagle@gmail.com <ma...@gmail.com>
>> <mailto:prasadwagle@gmail.com
>> <ma...@gmail.com>>> wrote:
>>
>> Hi,
>>
>> My team has implemented Notebook authorization using the
>> approach described in the design document here
>>
>> <https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and
>> would
>> like to get feedback from the community. It would be
>> great if we
>> could reach agreement on the high-level design before
>> we work on
>> a pull request.
>>
>> Thanks,
>> Prasad
>>
>>
>>
>>
>>
>> --
>> Prasad Wagle
>> 408.476.6261 <tel:408.476.6261> | twitter.com/prasadwagle
>> <http://twitter.com/prasadwagle> | prasadwagle@gmail.com
>> <ma...@gmail.com> | www.linkedin.com/in/prasadwagle
>> <http://www.linkedin.com/in/prasadwagle>
>>
>
Re: Notebook Authorization Design
Posted by Eric Charles <er...@apache.org>.
(see my answers inline)
On 01/02/16 20:18, Prasad Wagle wrote:
> Thanks Moon and Eric. I created a pull request -
> https://github.com/apache/incubator-zeppelin/pull/681 and am looking
> forward to community feedback.
>
> I am getting a Travis CI build error
> <https://travis-ci.org/apache/incubator-zeppelin/builds/106159585>. Is
> it caused by the code in this PR? Can someone help me find the root
> cause? Btw, do we have a chat room (like gitter) for discussing Zeppelin
> topics?
>
> Hi Eric - Here are my responses to your questions. Sorry if I didn't
> understand them correctly.
>
> > I read you will use an external server for authentication which will
> redirect to a zeppelin server url.
> Yes, we need to do that in our company environment. In my PR, I use
> Shiro authentication.
>
Thx for the info.
> > I wonder if you pull request will support multiple user for a single
> server or if, just like now, we need a server deployment by user (with
> all the fun with the http ports...) ? (this is not defined in your document)
>
> What do you mean by "server deployment by user"? Doesn't Shiro
> authentication support multiple users on a single server?
>
I was thinking to some completely separated environments (notes
workspace, interpreters settings/bindings...) by user.
For now, every authenticated user on the zeppelin-server sees the
changes that other users are doing (changes in the interpreter settings,
stop/start of the interpreter, changes in a paragraph of a note...).
But I get your idea and it makes sense to me to introduce this step.
>
> Regards,
> Prasad
>
>
> On Sun, Jan 31, 2016 at 1:38 AM, Eric Charles <eric@apache.org
> <ma...@apache.org>> wrote:
>
> Very nice doc!
>
> I read you will use an external server for authentication which will
> redirect to a zeppelin server url.
>
> I wonder if you pull request will support multiple user for a single
> server or if, just like now, we need a server deployment by user
> (with all the fun with the http ports...) ? (this is not defined in
> your document)
>
> On 31/01/16 01:57, moon soo Lee wrote:
>
> Thanks Prasad for sharing the design document.
> I think your document really nicely defined authorization in
> Zeppelin
> and I think your approach for Notebook Authorization really make
> sense.
>
> Like DuyHai mentioned, Zeppelin uses Shiro for authentication. If
> authorization can works smoothly with Shiro, that would be great.
>
> Thanks again for sharing nice documentation. And looking forward
> to a
> pull request.
>
> Best,
> moon
>
> On Fri, Jan 29, 2016 at 7:57 PM DuyHai Doan
> <doanduyhai@gmail.com <ma...@gmail.com>
> <mailto:doanduyhai@gmail.com <ma...@gmail.com>>> wrote:
>
> Have you look at the commit done by hayssams for Apache Shiro
> integration with Zeppelin ?
> https://github.com/apache/incubator-zeppelin/pull/586 ?
>
> There is also a JIRA to implement authorization on notes:
> https://issues.apache.org/jira/browse/ZEPPELIN-549
>
> On Fri, Jan 29, 2016 at 5:30 AM, Prasad Wagle
> <prasadwagle@gmail.com <ma...@gmail.com>
> <mailto:prasadwagle@gmail.com
> <ma...@gmail.com>>> wrote:
>
> Hi,
>
> My team has implemented Notebook authorization using the
> approach described in the design document here
>
> <https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and would
> like to get feedback from the community. It would be
> great if we
> could reach agreement on the high-level design before
> we work on
> a pull request.
>
> Thanks,
> Prasad
>
>
>
>
>
> --
> Prasad Wagle
> 408.476.6261 <tel:408.476.6261> | twitter.com/prasadwagle
> <http://twitter.com/prasadwagle> | prasadwagle@gmail.com
> <ma...@gmail.com> | www.linkedin.com/in/prasadwagle
> <http://www.linkedin.com/in/prasadwagle>
Re: Notebook Authorization Design
Posted by Prasad Wagle <pr...@gmail.com>.
Thanks Moon and Eric. I created a pull request -
https://github.com/apache/incubator-zeppelin/pull/681 and am looking
forward to community feedback.
I am getting a Travis CI build error
<https://travis-ci.org/apache/incubator-zeppelin/builds/106159585>. Is it
caused by the code in this PR? Can someone help me find the root cause?
Btw, do we have a chat room (like gitter) for discussing Zeppelin topics?
Hi Eric - Here are my responses to your questions. Sorry if I didn't
understand them correctly.
> I read you will use an external server for authentication which will
redirect to a zeppelin server url.
Yes, we need to do that in our company environment. In my PR, I use Shiro
authentication.
> I wonder if you pull request will support multiple user for a single
server or if, just like now, we need a server deployment by user (with all
the fun with the http ports...) ? (this is not defined in your document)
What do you mean by "server deployment by user"? Doesn't Shiro
authentication support multiple users on a single server?
Regards,
Prasad
On Sun, Jan 31, 2016 at 1:38 AM, Eric Charles <er...@apache.org> wrote:
> Very nice doc!
>
> I read you will use an external server for authentication which will
> redirect to a zeppelin server url.
>
> I wonder if you pull request will support multiple user for a single
> server or if, just like now, we need a server deployment by user (with all
> the fun with the http ports...) ? (this is not defined in your document)
>
> On 31/01/16 01:57, moon soo Lee wrote:
>
>> Thanks Prasad for sharing the design document.
>> I think your document really nicely defined authorization in Zeppelin
>> and I think your approach for Notebook Authorization really make sense.
>>
>> Like DuyHai mentioned, Zeppelin uses Shiro for authentication. If
>> authorization can works smoothly with Shiro, that would be great.
>>
>> Thanks again for sharing nice documentation. And looking forward to a
>> pull request.
>>
>> Best,
>> moon
>>
>> On Fri, Jan 29, 2016 at 7:57 PM DuyHai Doan <doanduyhai@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> Have you look at the commit done by hayssams for Apache Shiro
>> integration with Zeppelin ?
>> https://github.com/apache/incubator-zeppelin/pull/586 ?
>>
>> There is also a JIRA to implement authorization on notes:
>> https://issues.apache.org/jira/browse/ZEPPELIN-549
>>
>> On Fri, Jan 29, 2016 at 5:30 AM, Prasad Wagle <prasadwagle@gmail.com
>> <ma...@gmail.com>> wrote:
>>
>> Hi,
>>
>> My team has implemented Notebook authorization using the
>> approach described in the design document here
>> <https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and
>> would
>> like to get feedback from the community. It would be great if we
>> could reach agreement on the high-level design before we work on
>> a pull request.
>>
>> Thanks,
>> Prasad
>>
>>
>>
--
Prasad Wagle
408.476.6261 | twitter.com/prasadwagle | prasadwagle@gmail.com |
www.linkedin.com/in/prasadwagle
Re: Notebook Authorization Design
Posted by Eric Charles <er...@apache.org>.
Very nice doc!
I read you will use an external server for authentication which will
redirect to a zeppelin server url.
I wonder if you pull request will support multiple user for a single
server or if, just like now, we need a server deployment by user (with
all the fun with the http ports...) ? (this is not defined in your document)
On 31/01/16 01:57, moon soo Lee wrote:
> Thanks Prasad for sharing the design document.
> I think your document really nicely defined authorization in Zeppelin
> and I think your approach for Notebook Authorization really make sense.
>
> Like DuyHai mentioned, Zeppelin uses Shiro for authentication. If
> authorization can works smoothly with Shiro, that would be great.
>
> Thanks again for sharing nice documentation. And looking forward to a
> pull request.
>
> Best,
> moon
>
> On Fri, Jan 29, 2016 at 7:57 PM DuyHai Doan <doanduyhai@gmail.com
> <ma...@gmail.com>> wrote:
>
> Have you look at the commit done by hayssams for Apache Shiro
> integration with Zeppelin ?
> https://github.com/apache/incubator-zeppelin/pull/586 ?
>
> There is also a JIRA to implement authorization on notes:
> https://issues.apache.org/jira/browse/ZEPPELIN-549
>
> On Fri, Jan 29, 2016 at 5:30 AM, Prasad Wagle <prasadwagle@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hi,
>
> My team has implemented Notebook authorization using the
> approach described in the design document here
> <https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and would
> like to get feedback from the community. It would be great if we
> could reach agreement on the high-level design before we work on
> a pull request.
>
> Thanks,
> Prasad
>
>
Re: Notebook Authorization Design
Posted by moon soo Lee <mo...@apache.org>.
Thanks Prasad for sharing the design document.
I think your document really nicely defined authorization in Zeppelin and I
think your approach for Notebook Authorization really make sense.
Like DuyHai mentioned, Zeppelin uses Shiro for authentication. If
authorization can works smoothly with Shiro, that would be great.
Thanks again for sharing nice documentation. And looking forward to a pull
request.
Best,
moon
On Fri, Jan 29, 2016 at 7:57 PM DuyHai Doan <do...@gmail.com> wrote:
> Have you look at the commit done by hayssams for Apache Shiro integration
> with Zeppelin ? https://github.com/apache/incubator-zeppelin/pull/586 ?
>
> There is also a JIRA to implement authorization on notes:
> https://issues.apache.org/jira/browse/ZEPPELIN-549
>
> On Fri, Jan 29, 2016 at 5:30 AM, Prasad Wagle <pr...@gmail.com>
> wrote:
>
>> Hi,
>>
>> My team has implemented Notebook authorization using the approach
>> described in the design document here
>> <https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and would
>> like to get feedback from the community. It would be great if we could
>> reach agreement on the high-level design before we work on a pull request.
>>
>> Thanks,
>> Prasad
>>
>
>
Re: Notebook Authorization Design
Posted by DuyHai Doan <do...@gmail.com>.
Have you look at the commit done by hayssams for Apache Shiro integration
with Zeppelin ? https://github.com/apache/incubator-zeppelin/pull/586 ?
There is also a JIRA to implement authorization on notes:
https://issues.apache.org/jira/browse/ZEPPELIN-549
On Fri, Jan 29, 2016 at 5:30 AM, Prasad Wagle <pr...@gmail.com> wrote:
> Hi,
>
> My team has implemented Notebook authorization using the approach
> described in the design document here
> <https://gist.github.com/prasadwagle/712b7ca1e0f1f4f1aa20> and would like
> to get feedback from the community. It would be great if we could reach
> agreement on the high-level design before we work on a pull request.
>
> Thanks,
> Prasad
>