Added: zeppelin/site/docs/0.9.0/setup/security/notebook_authorization.html URL: http://svn.apache.org/viewvc/zeppelin/site/docs/0.9.0/setup/security/notebook_authorization.html?rev=1884775&view=auto ============================================================================== --- zeppelin/site/docs/0.9.0/setup/security/notebook_authorization.html (added) +++ zeppelin/site/docs/0.9.0/setup/security/notebook_authorization.html Thu Dec 24 14:36:01 2020 @@ -0,0 +1,367 @@ + +<!DOCTYPE html> +<html lang="en"> + <head> + <meta charset="utf-8"> + <title>Apache Zeppelin 0.9.0 Documentation: Notebook Authorization in Apache Zeppelin</title> + <meta name="description" content="This page will guide you how you can set the permission for Zeppelin notebooks. This document assumes that Apache Shiro authentication was set up."> + <meta name="author" content="The Apache Software Foundation"> + + <!-- Enable responsive viewport --> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + + <!-- Le HTML5 shim, for IE6-8 support of HTML elements --> + <!--[if lt IE 9]> + <script src="http://html5shim.googlecode.com/svn/trunk/html5.js";></script> + <![endif]--> + + <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet"> + + <!-- Le styles --> + <link href="/docs/0.9.0/assets/themes/zeppelin/bootstrap/css/bootstrap.css" rel="stylesheet"> + <link href="/docs/0.9.0/assets/themes/zeppelin/css/style.css?body=1" rel="stylesheet" type="text/css"> + <link href="/docs/0.9.0/assets/themes/zeppelin/css/syntax.css" rel="stylesheet" type="text/css" media="screen" /> + <!-- Le fav and touch icons --> + <!-- Update these with your own images + <link rel="shortcut icon" href="images/favicon.ico"> + <link rel="apple-touch-icon" href="images/apple-touch-icon.png"> + <link rel="apple-touch-icon" sizes="72x72" href="images/apple-touch-icon-72x72.png"> + <link rel="apple-touch-icon" sizes="114x114" href="images/apple-touch-icon-114x114.png"> + --> + + <!-- Js --> + <script src="https://code.jquery.com/jquery-1.10.2.min.js";></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/bootstrap/js/bootstrap.min.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/docs.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/anchor.min.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/toc.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/lunr.min.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/search.js"></script> + + <!-- atom & rss feed --> + <link href="/docs/0.9.0/atom.xml" type="application/atom+xml" rel="alternate" title="Sitewide ATOM Feed"> + <link href="/docs/0.9.0/rss.xml" type="application/rss+xml" rel="alternate" title="Sitewide RSS Feed"> + </head> + + <body> + + <div id="menu" class="navbar navbar-inverse navbar-fixed-top" role="navigation"> + <div class="container navbar-container"> + <div class="navbar-header"> + <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> + <span class="sr-only">Toggle navigation</span> + <span class="icon-bar"></span> + <span class="icon-bar"></span> + <span class="icon-bar"></span> + </button> + <div class="navbar-brand"> + <a class="navbar-brand-main" href="http://zeppelin.apache.org";> + <img src="/docs/0.9.0/assets/themes/zeppelin/img/zeppelin_logo.png" width="50" + style="margin-top: -2px;" alt="I'm zeppelin"> + <span style="margin-left: 5px; font-size: 27px;">Zeppelin</span> + <a class="navbar-brand-version" href="/docs/0.9.0" + style="font-size: 15px; color: white;"> 0.9.0 + </a> + </a> + </div> + </div> + <nav class="navbar-collapse collapse" role="navigation"> + <ul class="nav navbar-nav"> + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Quick Start <b class="caret"></b></a> + <ul class="dropdown-menu"> + <li class="title"><span>Getting Started</span></li> + <li><a href="/docs/0.9.0/quickstart/install.html">Install</a></li> + <li><a href="/docs/0.9.0/quickstart/explore_ui.html">Explore UI</a></li> + <li><a href="/docs/0.9.0/quickstart/tutorial.html">Tutorial</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Run Mode</span></li> + <li><a href="/docs/0.9.0/quickstart/kubernetes.html">Kubernetes</a></li> + <li><a href="/docs/0.9.0/quickstart/docker.html">Docker</a></li> + <li><a href="/docs/0.9.0/quickstart/yarn.html">Yarn</a></li> + <li role="separator" class="divider"></li> + <li><a href="/docs/0.9.0/quickstart/spark_with_zeppelin.html">Spark with Zeppelin</a></li> + <li><a href="/docs/0.9.0/quickstart/sql_with_zeppelin.html">SQL with Zeppelin</a></li> + <li><a href="/docs/0.9.0/quickstart/python_with_zeppelin.html">Python with Zeppelin</a></li> + </ul> + </li> + + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Usage<b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu"> + <li class="title"><span>Dynamic Form</span></li> + <li><a href="/docs/0.9.0/usage/dynamic_form/intro.html">What is Dynamic Form?</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Display System</span></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#text">Text Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#html">HTML Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#table">Table Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#network">Network Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/angular_backend.html">Angular Display using Backend API</a></li> + <li><a href="/docs/0.9.0/usage/display_system/angular_frontend.html">Angular Display using Frontend API</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Interpreter</span></li> + <li><a href="/docs/0.9.0/usage/interpreter/overview.html">Overview</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/interpreter_binding_mode.html">Interpreter Binding Mode</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/user_impersonation.html">User Impersonation</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/dependency_management.html">Dependency Management</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/installation.html">Installing Interpreters</a></li> + <!--<li><a href="/docs/0.9.0/usage/interpreter/dynamic_loading.html">Dynamic Interpreter Loading (Experimental)</a></li>--> + <li><a href="/docs/0.9.0/usage/interpreter/execution_hooks.html">Execution Hooks (Experimental)</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Other Features</span></li> + <li><a href="/docs/0.9.0/usage/other_features/publishing_paragraphs.html">Publishing Paragraphs</a></li> + <li><a href="/docs/0.9.0/usage/other_features/personalized_mode.html">Personalized Mode</a></li> + <li><a href="/docs/0.9.0/usage/other_features/customizing_homepage.html">Customizing Zeppelin Homepage</a></li> + <li><a href="/docs/0.9.0/usage/other_features/notebook_actions.html">Notebook Actions</a></li> + <li><a href="/docs/0.9.0/usage/other_features/cron_scheduler.html">Cron Scheduler</a></li> + <li><a href="/docs/0.9.0/usage/other_features/zeppelin_context.html">Zeppelin Context</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>REST API</span></li> + <li><a href="/docs/0.9.0/usage/rest_api/interpreter.html">Interpreter API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/zeppelin_server.html">Zeppelin Server API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/notebook.html">Notebook API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/notebook_repository.html">Notebook Repository API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/configuration.html">Configuration API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/credential.html">Credential API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/helium.html">Helium API</a></li> + </ul> + </li> + + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Setup<b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu"> + <li class="title"><span>Basics</span></li> + <li><a href="/docs/0.9.0/setup/basics/how_to_build.html">How to Build Zeppelin</a></li> + <li><a href="/docs/0.9.0/setup/basics/hadoop_integration.html">Hadoop Integration</a></li> + <li><a href="/docs/0.9.0/setup/basics/multi_user_support.html">Multi-user Support</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Deployment</span></li> + <!--<li><a href="/docs/0.9.0/setup/deployment/docker.html">Docker Image for Zeppelin</a></li>--> + <li><a href="/docs/0.9.0/setup/deployment/spark_cluster_mode.html#spark-standalone-mode">Spark Cluster Mode: Standalone</a></li> + <li><a href="/docs/0.9.0/setup/deployment/spark_cluster_mode.html#spark-on-yarn-mode">Spark Cluster Mode: YARN</a></li> + <li><a href="/docs/0.9.0/setup/deployment/spark_cluster_mode.html#spark-on-mesos-mode">Spark Cluster Mode: Mesos</a></li> + <li><a href="/docs/0.9.0/setup/deployment/flink_and_spark_cluster.html">Zeppelin with Flink, Spark Cluster</a></li> + <li><a href="/docs/0.9.0/setup/deployment/cdh.html">Zeppelin on CDH</a></li> + <li><a href="/docs/0.9.0/setup/deployment/virtual_machine.html">Zeppelin on VM: Vagrant</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Security</span></li> + <li><a href="/docs/0.9.0/setup/security/authentication_nginx.html">HTTP Basic Auth using NGINX</a></li> + <li><a href="/docs/0.9.0/setup/security/shiro_authentication.html">Shiro Authentication</a></li> + <li><a href="/docs/0.9.0/setup/security/notebook_authorization.html">Notebook Authorization</a></li> + <li><a href="/docs/0.9.0/setup/security/datasource_authorization.html">Data Source Authorization</a></li> + <li><a href="/docs/0.9.0/setup/security/http_security_headers.html">HTTP Security Headers</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Notebook Storage</span></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-local-git-repository">Git Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-s3">S3 Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-azure">Azure Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-oss">OSS Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-zeppelinhub">ZeppelinHub Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-mongodb">MongoDB Storage</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Operation</span></li> + <li><a href="/docs/0.9.0/setup/operation/configuration.html">Configuration</a></li> + <li><a href="/docs/0.9.0/setup/operation/proxy_setting.html">Proxy Setting</a></li> + <li><a href="/docs/0.9.0/setup/operation/upgrading.html">Upgrading</a></li> + <li><a href="/docs/0.9.0/setup/operation/trouble_shooting.html">Trouble Shooting</a></li> + </ul> + </li> + + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Interpreter <b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu"> + <li class="title"><span>Interpreters</span></li> + <li><a href="/docs/0.9.0/usage/interpreter/overview.html">Overview</a></li> + <li role="separator" class="divider"></li> + <li><a href="/docs/0.9.0/interpreter/spark.html">Spark</a></li> + <li><a href="/docs/0.9.0/interpreter/jdbc.html">JDBC</a></li> + <li><a href="/docs/0.9.0/interpreter/python.html">Python</a></li> + <li><a href="/docs/0.9.0/interpreter/r.html">R</a></li> + <li role="separator" class="divider"></li> + <li><a href="/docs/0.9.0/interpreter/alluxio.html">Alluxio</a></li> + <li><a href="/docs/0.9.0/interpreter/beam.html">Beam</a></li> + <li><a href="/docs/0.9.0/interpreter/bigquery.html">BigQuery</a></li> + <li><a href="/docs/0.9.0/interpreter/cassandra.html">Cassandra</a></li> + <li><a href="/docs/0.9.0/interpreter/elasticsearch.html">Elasticsearch</a></li> + <li><a href="/docs/0.9.0/interpreter/flink.html">Flink</a></li> + <li><a href="/docs/0.9.0/interpreter/geode.html">Geode</a></li> + <li><a href="/docs/0.9.0/interpreter/groovy.html">Groovy</a></li> + <li><a href="/docs/0.9.0/interpreter/hazelcastjet.html">Hazelcast Jet</a></li> + <li><a href="/docs/0.9.0/interpreter/hbase.html">HBase</a></li> + <li><a href="/docs/0.9.0/interpreter/hdfs.html">HDFS</a></li> + <li><a href="/docs/0.9.0/interpreter/hive.html">Hive</a></li> + <li><a href="/docs/0.9.0/interpreter/ignite.html">Ignite</a></li> + <li><a href="/docs/0.9.0/interpreter/java.html">Java</a></li> + <li><a href="/docs/0.9.0/interpreter/jupyter.html">Jupyter</a></li> + <li><a href="/docs/0.9.0/interpreter/kotlin.html">Kotlin</a></li> + <li><a href="/docs/0.9.0/interpreter/kylin.html">Kylin</a></li> + <li><a href="/docs/0.9.0/interpreter/lens.html">Lens</a></li> + <li><a href="/docs/0.9.0/interpreter/livy.html">Livy</a></li> + <li><a href="/docs/0.9.0/interpreter/markdown.html">Markdown</a></li> + <li><a href="/docs/0.9.0/interpreter/mongodb.html">MongoDB</a></li> + <li><a href="/docs/0.9.0/interpreter/neo4j.html">Neo4j</a></li> + <li><a href="/docs/0.9.0/interpreter/pig.html">Pig</a></li> + <li><a href="/docs/0.9.0/interpreter/postgresql.html">Postgresql, HAWQ</a></li> + <li><a href="/docs/0.9.0/interpreter/scalding.html">Scalding</a></li> + <li><a href="/docs/0.9.0/interpreter/scio.html">Scio</a></li> + <li><a href="/docs/0.9.0/interpreter/shell.html">Shell</a></li> + <li><a href="/docs/0.9.0/interpreter/sparql.html">Sparql</a></li> + <li><a href="/docs/0.9.0/interpreter/submarine.html">Submarine</a></li> + </ul> + </li> + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu" style="right: 0; left: auto;"> + <li class="title"><span>Extending Zeppelin</span></li> + <li><a href="/docs/0.9.0/development/writing_zeppelin_interpreter.html">Writing Zeppelin Interpreter</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Helium (Experimental)</span></li> + <li><a href="/docs/0.9.0/development/helium/overview.html">Overview</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_application.html">Writing Helium Application</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_spell.html">Writing Helium Spell</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_visualization_basic.html">Writing Helium Visualization: Basics</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_visualization_transformation.html">Writing Helium Visualization: Transformation</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Contributing to Zeppelin</span></li> + <li><a href="/docs/0.9.0/setup/basics/how_to_build.html">How to Build Zeppelin</a></li> + <li><a href="/docs/0.9.0/development/contribution/useful_developer_tools.html">Useful Developer Tools</a></li> + <li><a href="/docs/0.9.0/development/contribution/how_to_contribute_code.html">How to Contribute (code)</a></li> + <li><a href="/docs/0.9.0/development/contribution/how_to_contribute_website.html">How to Contribute (website)</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>External Resources</span></li> + <li><a target="_blank" href="https://zeppelin.apache.org/community.html";>Mailing List</a></li> + <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/ZEPPELIN/Zeppelin+Home";>Apache Zeppelin Wiki</a></li> + <li><a target="_blank" href="http://stackoverflow.com/questions/tagged/apache-zeppelin";>Stackoverflow Questions about Zeppelin</a></li> + </ul> + </li> + <li> + <a href="/docs/0.9.0/search.html" class="nav-search-link"> + <span class="fa fa-search nav-search-icon"></span> + </a> + </li> + </ul> + </nav><!--/.navbar-collapse --> + </div> + </div> + + + + <div class="content"> + +<!--<div class="hero-unit Notebook Authorization in Apache Zeppelin"> + <h1></h1> +</div> +--> + +<div class="row"> + <div class="col-md-12"> + <!-- +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +<h1>Zeppelin Notebook Authorization</h1> + +<div id="toc"></div> + +<h2>Overview</h2> + +<p>We assume that there is an <strong>Shiro Authentication</strong> component that associates a user string and a set of group strings with every NotebookSocket. +If you don't set the authentication components yet, please check <a href="./shiro_authentication.html">Shiro authentication for Apache Zeppelin</a> first.</p> + +<h2>Authorization Setting</h2> + +<p>You can set Zeppelin notebook permissions in each notebooks. Of course only <strong>notebook owners</strong> can change this configuration. +Just click <strong>Lock icon</strong> and open the permission setting page in your notebook.</p> + +<p>As you can see, each Zeppelin notebooks has 3 entities :</p> + +<ul> +<li>Owners ( users or groups )</li> +<li>Readers ( users or groups )</li> +<li>Writers ( users or groups )</li> +<li>Runners ( users or groups )</li> +</ul> + +<p><center><img src="/docs/0.9.0/assets/themes/zeppelin/img/docs-img/permission_setting.png"></center></p> + +<p>Fill out the each forms with comma seperated <strong>users</strong> and <strong>groups</strong> configured in <code>conf/shiro.ini</code> file. +If the form is empty (*), it means that any users can perform that operation.</p> + +<p>If someone who doesn't have <strong>read</strong> permission is trying to access the notebook or someone who doesn't have <strong>write</strong> permission is trying to edit the notebook, +or someone who doesn't have <strong>run</strong> permission is trying to run a paragraph Zeppelin will ask to login or block the user.</p> + +<p>By default, owners and writers have <strong>write</strong> permission, owners, writers and runners have <strong>run</strong> permission, owners, writers, runners and readers have <strong>read</strong> permission</p> + +<p><center><img src="/docs/0.9.0/assets/themes/zeppelin/img/docs-img/insufficient_privileges.png"></center></p> + +<h2>Separate notebook workspaces (public vs. private)</h2> + +<p>By default, the authorization rights allow other users to see the newly created note, meaning the workspace is <code>public</code>. This behavior is controllable and can be set through either <code>ZEPPELIN_NOTEBOOK_PUBLIC</code> variable in <code>conf/zeppelin-env.sh</code>, or through <code>zeppelin.notebook.public</code> property in <code>conf/zeppelin-site.xml</code>. Thus, in order to make newly created note appear only in your <code>private</code> workspace by default, you can set either <code>ZEPPELIN_NOTEBOOK_PUBLIC</code> to <code>false</code> in your <code>conf/zeppelin-env.sh</code> as follows:</p> +<div class="highlight"><pre><code class="bash language-bash" data-lang="bash"><span class="nb">export </span><span class="nv">ZEPPELIN_NOTEBOOK_PUBLIC</span><span class="o">=</span><span class="s2">"false"</span> +</code></pre></div> +<p>or set <code>zeppelin.notebook.public</code> property to <code>false</code> in <code>conf/zeppelin-site.xml</code> as follows:</p> +<div class="highlight"><pre><code class="xml language-xml" data-lang="xml"><span class="nt"><property></span> + <span class="nt"><name></span>zeppelin.notebook.public<span class="nt"></name></span> + <span class="nt"><value></span>false<span class="nt"></value></span> + <span class="nt"><description></span>Make notebook public by default when created, private otherwise<span class="nt"></description></span> +<span class="nt"></property></span> +</code></pre></div> +<p>Behind the scenes, when you create a new note only the <code>owners</code> field is filled with current user, leaving <code>readers</code>, <code>runners</code> and <code>writers</code> fields empty. All the notes with at least one empty authorization field are considered to be in <code>public</code> workspace. Thus when setting <code>zeppelin.notebook.public</code> (or corresponding <code>ZEPPELIN_NOTEBOOK_PUBLIC</code>) to false, newly created notes have <code>readers</code>, <code>runners</code>, <code>writers</code> fields filled with current user, making note appear as in <code>private</code> workspace.</p> + +<h2>How it works</h2> + +<p>In this section, we will explain the detail about how the notebook authorization works in backend side.</p> + +<h3>NotebookServer</h3> + +<p>The <a href="https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookServer.java";>NotebookServer</a> classifies every notebook operations into three categories: <strong>Read</strong>, <strong>Run</strong>, <strong>Write</strong>, <strong>Manage</strong>. +Before executing a notebook operation, it checks if the user and the groups associated with the <code>NotebookSocket</code> have permissions. +For example, before executing a <strong>Read</strong> operation, it checks if the user and the groups have at least one entity that belongs to the <strong>Reader</strong> entities.</p> + +<h3>Notebook REST API call</h3> + +<p>Zeppelin executes a <a href="https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/NotebookRestApi.java";>REST API call</a> for the notebook permission information. +In the backend side, Zeppelin gets the user information for the connection and allows the operation if the users and groups +associated with the current user have at least one entity that belongs to owner entities for the notebook.</p> + + </div> +</div> + + + <hr> + <footer> + <!-- <p>© 2020 The Apache Software Foundation</p>--> + </footer> + </div> + + + + + <script type="text/javascript"> + (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ + (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), + m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) + })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); + + ga('create', 'UA-45176241-5', 'zeppelin.apache.org'); + ga('require', 'linkid', 'linkid.js'); + ga('send', 'pageview'); + +</script> + + + + </body> +</html> +
Added: zeppelin/site/docs/0.9.0/setup/security/shiro_authentication.html URL: http://svn.apache.org/viewvc/zeppelin/site/docs/0.9.0/setup/security/shiro_authentication.html?rev=1884775&view=auto ============================================================================== --- zeppelin/site/docs/0.9.0/setup/security/shiro_authentication.html (added) +++ zeppelin/site/docs/0.9.0/setup/security/shiro_authentication.html Thu Dec 24 14:36:01 2020 @@ -0,0 +1,623 @@ + +<!DOCTYPE html> +<html lang="en"> + <head> + <meta charset="utf-8"> + <title>Apache Zeppelin 0.9.0 Documentation: Apache Shiro Authentication for Apache Zeppelin</title> + <meta name="description" content="Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. This document explains step by step how Shiro can be used for Zeppelin notebook authentication."> + <meta name="author" content="The Apache Software Foundation"> + + <!-- Enable responsive viewport --> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + + <!-- Le HTML5 shim, for IE6-8 support of HTML elements --> + <!--[if lt IE 9]> + <script src="http://html5shim.googlecode.com/svn/trunk/html5.js";></script> + <![endif]--> + + <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet"> + + <!-- Le styles --> + <link href="/docs/0.9.0/assets/themes/zeppelin/bootstrap/css/bootstrap.css" rel="stylesheet"> + <link href="/docs/0.9.0/assets/themes/zeppelin/css/style.css?body=1" rel="stylesheet" type="text/css"> + <link href="/docs/0.9.0/assets/themes/zeppelin/css/syntax.css" rel="stylesheet" type="text/css" media="screen" /> + <!-- Le fav and touch icons --> + <!-- Update these with your own images + <link rel="shortcut icon" href="images/favicon.ico"> + <link rel="apple-touch-icon" href="images/apple-touch-icon.png"> + <link rel="apple-touch-icon" sizes="72x72" href="images/apple-touch-icon-72x72.png"> + <link rel="apple-touch-icon" sizes="114x114" href="images/apple-touch-icon-114x114.png"> + --> + + <!-- Js --> + <script src="https://code.jquery.com/jquery-1.10.2.min.js";></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/bootstrap/js/bootstrap.min.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/docs.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/anchor.min.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/toc.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/lunr.min.js"></script> + <script src="/docs/0.9.0/assets/themes/zeppelin/js/search.js"></script> + + <!-- atom & rss feed --> + <link href="/docs/0.9.0/atom.xml" type="application/atom+xml" rel="alternate" title="Sitewide ATOM Feed"> + <link href="/docs/0.9.0/rss.xml" type="application/rss+xml" rel="alternate" title="Sitewide RSS Feed"> + </head> + + <body> + + <div id="menu" class="navbar navbar-inverse navbar-fixed-top" role="navigation"> + <div class="container navbar-container"> + <div class="navbar-header"> + <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> + <span class="sr-only">Toggle navigation</span> + <span class="icon-bar"></span> + <span class="icon-bar"></span> + <span class="icon-bar"></span> + </button> + <div class="navbar-brand"> + <a class="navbar-brand-main" href="http://zeppelin.apache.org";> + <img src="/docs/0.9.0/assets/themes/zeppelin/img/zeppelin_logo.png" width="50" + style="margin-top: -2px;" alt="I'm zeppelin"> + <span style="margin-left: 5px; font-size: 27px;">Zeppelin</span> + <a class="navbar-brand-version" href="/docs/0.9.0" + style="font-size: 15px; color: white;"> 0.9.0 + </a> + </a> + </div> + </div> + <nav class="navbar-collapse collapse" role="navigation"> + <ul class="nav navbar-nav"> + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Quick Start <b class="caret"></b></a> + <ul class="dropdown-menu"> + <li class="title"><span>Getting Started</span></li> + <li><a href="/docs/0.9.0/quickstart/install.html">Install</a></li> + <li><a href="/docs/0.9.0/quickstart/explore_ui.html">Explore UI</a></li> + <li><a href="/docs/0.9.0/quickstart/tutorial.html">Tutorial</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Run Mode</span></li> + <li><a href="/docs/0.9.0/quickstart/kubernetes.html">Kubernetes</a></li> + <li><a href="/docs/0.9.0/quickstart/docker.html">Docker</a></li> + <li><a href="/docs/0.9.0/quickstart/yarn.html">Yarn</a></li> + <li role="separator" class="divider"></li> + <li><a href="/docs/0.9.0/quickstart/spark_with_zeppelin.html">Spark with Zeppelin</a></li> + <li><a href="/docs/0.9.0/quickstart/sql_with_zeppelin.html">SQL with Zeppelin</a></li> + <li><a href="/docs/0.9.0/quickstart/python_with_zeppelin.html">Python with Zeppelin</a></li> + </ul> + </li> + + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Usage<b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu"> + <li class="title"><span>Dynamic Form</span></li> + <li><a href="/docs/0.9.0/usage/dynamic_form/intro.html">What is Dynamic Form?</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Display System</span></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#text">Text Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#html">HTML Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#table">Table Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/basic.html#network">Network Display</a></li> + <li><a href="/docs/0.9.0/usage/display_system/angular_backend.html">Angular Display using Backend API</a></li> + <li><a href="/docs/0.9.0/usage/display_system/angular_frontend.html">Angular Display using Frontend API</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Interpreter</span></li> + <li><a href="/docs/0.9.0/usage/interpreter/overview.html">Overview</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/interpreter_binding_mode.html">Interpreter Binding Mode</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/user_impersonation.html">User Impersonation</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/dependency_management.html">Dependency Management</a></li> + <li><a href="/docs/0.9.0/usage/interpreter/installation.html">Installing Interpreters</a></li> + <!--<li><a href="/docs/0.9.0/usage/interpreter/dynamic_loading.html">Dynamic Interpreter Loading (Experimental)</a></li>--> + <li><a href="/docs/0.9.0/usage/interpreter/execution_hooks.html">Execution Hooks (Experimental)</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Other Features</span></li> + <li><a href="/docs/0.9.0/usage/other_features/publishing_paragraphs.html">Publishing Paragraphs</a></li> + <li><a href="/docs/0.9.0/usage/other_features/personalized_mode.html">Personalized Mode</a></li> + <li><a href="/docs/0.9.0/usage/other_features/customizing_homepage.html">Customizing Zeppelin Homepage</a></li> + <li><a href="/docs/0.9.0/usage/other_features/notebook_actions.html">Notebook Actions</a></li> + <li><a href="/docs/0.9.0/usage/other_features/cron_scheduler.html">Cron Scheduler</a></li> + <li><a href="/docs/0.9.0/usage/other_features/zeppelin_context.html">Zeppelin Context</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>REST API</span></li> + <li><a href="/docs/0.9.0/usage/rest_api/interpreter.html">Interpreter API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/zeppelin_server.html">Zeppelin Server API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/notebook.html">Notebook API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/notebook_repository.html">Notebook Repository API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/configuration.html">Configuration API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/credential.html">Credential API</a></li> + <li><a href="/docs/0.9.0/usage/rest_api/helium.html">Helium API</a></li> + </ul> + </li> + + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Setup<b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu"> + <li class="title"><span>Basics</span></li> + <li><a href="/docs/0.9.0/setup/basics/how_to_build.html">How to Build Zeppelin</a></li> + <li><a href="/docs/0.9.0/setup/basics/hadoop_integration.html">Hadoop Integration</a></li> + <li><a href="/docs/0.9.0/setup/basics/multi_user_support.html">Multi-user Support</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Deployment</span></li> + <!--<li><a href="/docs/0.9.0/setup/deployment/docker.html">Docker Image for Zeppelin</a></li>--> + <li><a href="/docs/0.9.0/setup/deployment/spark_cluster_mode.html#spark-standalone-mode">Spark Cluster Mode: Standalone</a></li> + <li><a href="/docs/0.9.0/setup/deployment/spark_cluster_mode.html#spark-on-yarn-mode">Spark Cluster Mode: YARN</a></li> + <li><a href="/docs/0.9.0/setup/deployment/spark_cluster_mode.html#spark-on-mesos-mode">Spark Cluster Mode: Mesos</a></li> + <li><a href="/docs/0.9.0/setup/deployment/flink_and_spark_cluster.html">Zeppelin with Flink, Spark Cluster</a></li> + <li><a href="/docs/0.9.0/setup/deployment/cdh.html">Zeppelin on CDH</a></li> + <li><a href="/docs/0.9.0/setup/deployment/virtual_machine.html">Zeppelin on VM: Vagrant</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Security</span></li> + <li><a href="/docs/0.9.0/setup/security/authentication_nginx.html">HTTP Basic Auth using NGINX</a></li> + <li><a href="/docs/0.9.0/setup/security/shiro_authentication.html">Shiro Authentication</a></li> + <li><a href="/docs/0.9.0/setup/security/notebook_authorization.html">Notebook Authorization</a></li> + <li><a href="/docs/0.9.0/setup/security/datasource_authorization.html">Data Source Authorization</a></li> + <li><a href="/docs/0.9.0/setup/security/http_security_headers.html">HTTP Security Headers</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Notebook Storage</span></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-local-git-repository">Git Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-s3">S3 Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-azure">Azure Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-oss">OSS Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-zeppelinhub">ZeppelinHub Storage</a></li> + <li><a href="/docs/0.9.0/setup/storage/storage.html#notebook-storage-in-mongodb">MongoDB Storage</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Operation</span></li> + <li><a href="/docs/0.9.0/setup/operation/configuration.html">Configuration</a></li> + <li><a href="/docs/0.9.0/setup/operation/proxy_setting.html">Proxy Setting</a></li> + <li><a href="/docs/0.9.0/setup/operation/upgrading.html">Upgrading</a></li> + <li><a href="/docs/0.9.0/setup/operation/trouble_shooting.html">Trouble Shooting</a></li> + </ul> + </li> + + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">Interpreter <b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu"> + <li class="title"><span>Interpreters</span></li> + <li><a href="/docs/0.9.0/usage/interpreter/overview.html">Overview</a></li> + <li role="separator" class="divider"></li> + <li><a href="/docs/0.9.0/interpreter/spark.html">Spark</a></li> + <li><a href="/docs/0.9.0/interpreter/jdbc.html">JDBC</a></li> + <li><a href="/docs/0.9.0/interpreter/python.html">Python</a></li> + <li><a href="/docs/0.9.0/interpreter/r.html">R</a></li> + <li role="separator" class="divider"></li> + <li><a href="/docs/0.9.0/interpreter/alluxio.html">Alluxio</a></li> + <li><a href="/docs/0.9.0/interpreter/beam.html">Beam</a></li> + <li><a href="/docs/0.9.0/interpreter/bigquery.html">BigQuery</a></li> + <li><a href="/docs/0.9.0/interpreter/cassandra.html">Cassandra</a></li> + <li><a href="/docs/0.9.0/interpreter/elasticsearch.html">Elasticsearch</a></li> + <li><a href="/docs/0.9.0/interpreter/flink.html">Flink</a></li> + <li><a href="/docs/0.9.0/interpreter/geode.html">Geode</a></li> + <li><a href="/docs/0.9.0/interpreter/groovy.html">Groovy</a></li> + <li><a href="/docs/0.9.0/interpreter/hazelcastjet.html">Hazelcast Jet</a></li> + <li><a href="/docs/0.9.0/interpreter/hbase.html">HBase</a></li> + <li><a href="/docs/0.9.0/interpreter/hdfs.html">HDFS</a></li> + <li><a href="/docs/0.9.0/interpreter/hive.html">Hive</a></li> + <li><a href="/docs/0.9.0/interpreter/ignite.html">Ignite</a></li> + <li><a href="/docs/0.9.0/interpreter/java.html">Java</a></li> + <li><a href="/docs/0.9.0/interpreter/jupyter.html">Jupyter</a></li> + <li><a href="/docs/0.9.0/interpreter/kotlin.html">Kotlin</a></li> + <li><a href="/docs/0.9.0/interpreter/kylin.html">Kylin</a></li> + <li><a href="/docs/0.9.0/interpreter/lens.html">Lens</a></li> + <li><a href="/docs/0.9.0/interpreter/livy.html">Livy</a></li> + <li><a href="/docs/0.9.0/interpreter/markdown.html">Markdown</a></li> + <li><a href="/docs/0.9.0/interpreter/mongodb.html">MongoDB</a></li> + <li><a href="/docs/0.9.0/interpreter/neo4j.html">Neo4j</a></li> + <li><a href="/docs/0.9.0/interpreter/pig.html">Pig</a></li> + <li><a href="/docs/0.9.0/interpreter/postgresql.html">Postgresql, HAWQ</a></li> + <li><a href="/docs/0.9.0/interpreter/scalding.html">Scalding</a></li> + <li><a href="/docs/0.9.0/interpreter/scio.html">Scio</a></li> + <li><a href="/docs/0.9.0/interpreter/shell.html">Shell</a></li> + <li><a href="/docs/0.9.0/interpreter/sparql.html">Sparql</a></li> + <li><a href="/docs/0.9.0/interpreter/submarine.html">Submarine</a></li> + </ul> + </li> + <li> + <a href="#" data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a> + <ul class="dropdown-menu scrollable-menu" style="right: 0; left: auto;"> + <li class="title"><span>Extending Zeppelin</span></li> + <li><a href="/docs/0.9.0/development/writing_zeppelin_interpreter.html">Writing Zeppelin Interpreter</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Helium (Experimental)</span></li> + <li><a href="/docs/0.9.0/development/helium/overview.html">Overview</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_application.html">Writing Helium Application</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_spell.html">Writing Helium Spell</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_visualization_basic.html">Writing Helium Visualization: Basics</a></li> + <li><a href="/docs/0.9.0/development/helium/writing_visualization_transformation.html">Writing Helium Visualization: Transformation</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>Contributing to Zeppelin</span></li> + <li><a href="/docs/0.9.0/setup/basics/how_to_build.html">How to Build Zeppelin</a></li> + <li><a href="/docs/0.9.0/development/contribution/useful_developer_tools.html">Useful Developer Tools</a></li> + <li><a href="/docs/0.9.0/development/contribution/how_to_contribute_code.html">How to Contribute (code)</a></li> + <li><a href="/docs/0.9.0/development/contribution/how_to_contribute_website.html">How to Contribute (website)</a></li> + <li role="separator" class="divider"></li> + <li class="title"><span>External Resources</span></li> + <li><a target="_blank" href="https://zeppelin.apache.org/community.html";>Mailing List</a></li> + <li><a target="_blank" href="https://cwiki.apache.org/confluence/display/ZEPPELIN/Zeppelin+Home";>Apache Zeppelin Wiki</a></li> + <li><a target="_blank" href="http://stackoverflow.com/questions/tagged/apache-zeppelin";>Stackoverflow Questions about Zeppelin</a></li> + </ul> + </li> + <li> + <a href="/docs/0.9.0/search.html" class="nav-search-link"> + <span class="fa fa-search nav-search-icon"></span> + </a> + </li> + </ul> + </nav><!--/.navbar-collapse --> + </div> + </div> + + + + <div class="content"> + +<!--<div class="hero-unit Apache Shiro Authentication for Apache Zeppelin"> + <h1></h1> +</div> +--> + +<div class="row"> + <div class="col-md-12"> + <!-- +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +<h1>Apache Shiro authentication for Apache Zeppelin</h1> + +<div id="toc"></div> + +<h2>Overview</h2> + +<p><a href="http://shiro.apache.org/";>Apache Shiro</a> is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. In this documentation, we will explain step by step how Shiro works for Zeppelin notebook authentication.</p> + +<p>When you connect to Apache Zeppelin, you will be asked to enter your credentials. Once you logged in, then you have access to all notes including other user's notes.</p> + +<h2>Important Note</h2> + +<p>By default, Zeppelin allows anonymous access. It is strongly recommended that you consider setting up Apache Shiro for authentication (as described in this document, see 2 Secure the Websocket channel), or only deploy and use Zeppelin in a secured and trusted environment.</p> + +<h2>Security Setup</h2> + +<p>You can setup <strong>Zeppelin notebook authentication</strong> in some simple steps.</p> + +<h3>1. Enable Shiro</h3> + +<p>By default in <code>conf</code>, you will find <code>shiro.ini.template</code>, this file is used as an example and it is strongly recommended +to create a <code>shiro.ini</code> file by doing the following command line</p> +<div class="highlight"><pre><code class="bash language-bash" data-lang="bash">cp conf/shiro.ini.template conf/shiro.ini +</code></pre></div> +<p>For the further information about <code>shiro.ini</code> file format, please refer to <a href="http://shiro.apache.org/configuration.html#Configuration-INISections";>Shiro Configuration</a>.</p> + +<h3>2. Start Zeppelin</h3> +<div class="highlight"><pre><code class="bash language-bash" data-lang="bash">bin/zeppelin-daemon.sh start <span class="c">#(or restart)</span> +</code></pre></div> +<p>Then you can browse Zeppelin at <a href="http://localhost:8080";>http://localhost:8080</a>.</p> + +<h3>3. Login</h3> + +<p>Finally, you can login using one of the below <strong>username/password</strong> combinations.</p> + +<p><center><img src="/docs/0.9.0/assets/themes/zeppelin/img/docs-img/zeppelin-login.png"></center></p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[users] + +admin = password1, admin +user1 = password2, role1, role2 +user2 = password3, role3 +user3 = password4, role2 +</code></pre></div> +<p>You can set the roles for each users next to the password.</p> + +<h2>Groups and permissions (optional)</h2> + +<p>In case you want to leverage user groups and permissions, use one of the following configuration for LDAP or AD under <code>[main]</code> segment in <code>shiro.ini</code>.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm +activeDirectoryRealm.systemUsername = userNameA +activeDirectoryRealm.systemPassword = passwordA +activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM +activeDirectoryRealm.url = ldap://ldap.test.com:389 +activeDirectoryRealm.groupRolesMap = "CN=aGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"group1" +activeDirectoryRealm.authorizationCachingEnabled = false +activeDirectoryRealm.principalSuffix = @corp.company.net + +ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm +# search base for ldap groups (only relevant for LdapGroupRealm): +ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM +ldapRealm.contextFactory.url = ldap://ldap.test.com:389 +ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM +ldapRealm.contextFactory.authenticationMechanism = simple +</code></pre></div> +<p>also define roles/groups that you want to have in system, like below;</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[roles] +admin = * +hr = * +finance = * +group1 = * +</code></pre></div> +<h2>Configure Realm (optional)</h2> + +<p>Realms are responsible for authentication and authorization in Apache Zeppelin. By default, Apache Zeppelin uses <a href="https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/realm/text/IniRealm.html";>IniRealm</a> (users and groups are configurable in <code>conf/shiro.ini</code> file under <code>[user]</code> and <code>[group]</code> section). You can also leverage Shiro Realms like <a href="https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/realm/ldap/JndiLdapRealm.html";>JndiLdapRealm</a>, <a href="https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/realm/jdbc/JdbcRealm.html";>JdbcRealm</a> or create <a href="https://shiro.apache.org/static/latest/apidocs/org/apache/shiro/realm/AuthorizingRealm.html";>our own</a>. +To learn more about Apache Shiro Realm, please check <a href="http://shiro.apache.org/realm.html";>this documentation</a>.</p> + +<p>We also provide community custom Realms.</p> + +<p><strong>Note</strong>: When using any of the below realms the default + password-based (IniRealm) authentication needs to be disabled.</p> + +<h3>Active Directory</h3> +<div class="highlight"><pre><code class="text language-text" data-lang="text">activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm +activeDirectoryRealm.systemUsername = userNameA +activeDirectoryRealm.systemPassword = passwordA +activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks +activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM +activeDirectoryRealm.url = ldap://ldap.test.com:389 +activeDirectoryRealm.groupRolesMap = "CN=aGroupName,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"group1" +activeDirectoryRealm.authorizationCachingEnabled = false +activeDirectoryRealm.principalSuffix = @corp.company.net +</code></pre></div> +<p>Also instead of specifying systemPassword in clear text in shiro.ini administrator can choose to specify the same in "hadoop credential". +Create a keystore file using the hadoop credential commandline, for this the hadoop commons should be in the classpath +<code>hadoop credential create activeDirectoryRealm.systempassword -provider jceks://file/user/zeppelin/conf/zeppelin.jceks</code></p> + +<p>Change the following values in the Shiro.ini file, and uncomment the line: +<code>activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks</code></p> + +<h3>LDAP</h3> + +<p>Two options exist for configuring an LDAP Realm. The simpler to use is the LdapGroupRealm. How ever it has limited +flexibility with mapping of ldap groups to users and for authorization for user groups. A sample configuration file for +this realm is given below.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">ldapRealm = org.apache.zeppelin.realm.LdapGroupRealm +# search base for ldap groups (only relevant for LdapGroupRealm): +ldapRealm.contextFactory.environment[ldap.searchBase] = dc=COMPANY,dc=COM +ldapRealm.contextFactory.url = ldap://ldap.test.com:389 +ldapRealm.userDnTemplate = uid={0},ou=Users,dc=COMPANY,dc=COM +ldapRealm.contextFactory.authenticationMechanism = simple +</code></pre></div> +<p>The other more flexible option is to use the LdapRealm. It allows for mapping of ldapgroups to roles and also allows for + role/group based authentication into the zeppelin server. Sample configuration for this realm is given below.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[main] +ldapRealm=org.apache.zeppelin.realm.LdapRealm + +ldapRealm.contextFactory.authenticationMechanism=simple +ldapRealm.contextFactory.url=ldap://localhost:33389 +ldapRealm.userDnTemplate=uid={0},ou=people,dc=hadoop,dc=apache,dc=org +# Ability to set ldap paging Size if needed default is 100 +ldapRealm.pagingSize = 200 +ldapRealm.authorizationEnabled=true +ldapRealm.contextFactory.systemAuthenticationMechanism=simple +ldapRealm.searchBase=dc=hadoop,dc=apache,dc=org +ldapRealm.userSearchBase = dc=hadoop,dc=apache,dc=org +ldapRealm.groupSearchBase = ou=groups,dc=hadoop,dc=apache,dc=org +ldapRealm.groupObjectClass=groupofnames +# Allow userSearchAttribute to be customized +ldapRealm.userSearchAttributeName = sAMAccountName +ldapRealm.memberAttribute=member +# force usernames returned from ldap to lowercase useful for AD +ldapRealm.userLowerCase = true +# ability set searchScopes subtree (default), one, base +ldapRealm.userSearchScope = subtree; +ldapRealm.groupSearchScope = subtree; +ldapRealm.memberAttributeValueTemplate=cn={0},ou=people,dc=hadoop,dc=apache,dc=org +ldapRealm.contextFactory.systemUsername=uid=guest,ou=people,dc=hadoop,dc=apache,dc=org +ldapRealm.contextFactory.systemPassword=S{ALIAS=ldcSystemPassword} +# enable support for nested groups using the LDAP_MATCHING_RULE_IN_CHAIN operator +ldapRealm.groupSearchEnableMatchingRuleInChain = true +# optional mapping from physical groups to logical application roles +ldapRealm.rolesByGroup = LDN_USERS: user_role, NYK_USERS: user_role, HKG_USERS: user_role, GLOBAL_ADMIN: admin_role +# optional list of roles that are allowed to authenticate. Incase not present all groups are allowed to authenticate (login). +# This changes nothing for url specific permissions that will continue to work as specified in [urls]. +ldapRealm.allowedRolesForAuthentication = admin_role,user_role +ldapRealm.permissionsByRole= user_role = *:ToDoItemsJdo:*:*, *:ToDoItem:*:*; admin_role = * +securityManager.sessionManager = $sessionManager +securityManager.realms = $ldapRealm +</code></pre></div> +<p>Also instead of specifying systemPassword in clear text in <code>shiro.ini</code> administrator can choose to specify the same in "hadoop credential". +Create a keystore file using the hadoop credential command line: +<code> +hadoop credential create ldapRealm.systemPassword -provider jceks://file/user/zeppelin/conf/zeppelin.jceks +</code></p> + +<p>Add the following line in the <code>shiro.ini</code> file: +<code> +ldapRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/conf/zeppelin.jceks +</code></p> + +<h3>PAM</h3> + +<p><a href="https://en.wikipedia.org/wiki/Pluggable_authentication_module";>PAM</a> authentication support allows the reuse of existing authentication +moduls on the host where Zeppelin is running. On a typical system modules are configured per service for example sshd, passwd, etc. under <code>/etc/pam.d/</code>. You can +either reuse one of these services or create your own for Zeppelin. Activiting PAM authentication requires two parameters: + 1. realm: The Shiro realm being used + 2. service: The service configured under <code>/etc/pam.d/</code> to be used. The name here needs to be the same as the file name under <code>/etc/pam.d/</code></p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[main] + pamRealm=org.apache.zeppelin.realm.PamRealm + pamRealm.service=sshd +</code></pre></div> +<h3>ZeppelinHub</h3> + +<p><a href="https://www.zeppelinhub.com";>ZeppelinHub</a> is a service that synchronize your Apache Zeppelin notebooks and enables you to collaborate easily.</p> + +<p>To enable login with your ZeppelinHub credential, apply the following change in <code>conf/shiro.ini</code> under <code>[main]</code> section.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">### A sample for configuring ZeppelinHub Realm +zeppelinHubRealm = org.apache.zeppelin.realm.ZeppelinHubRealm +## Url of ZeppelinHub +zeppelinHubRealm.zeppelinhubUrl = https://www.zeppelinhub.com +securityManager.realms = $zeppelinHubRealm +</code></pre></div> +<blockquote> +<p>Note: ZeppelinHub is not related to Apache Zeppelin project.</p> +</blockquote> + +<h3>Knox SSO</h3> + +<p><a href="https://knox.apache.org/books/knox-0-13-0/dev-guide.html#KnoxSSO+Integration";>KnoxSSO</a> provides an abstraction for integrating any number of authentication systems and SSO solutions and enables participating web applications to scale to those solutions more easily. Without the token exchange capabilities offered by KnoxSSO each component UI would need to integrate with each desired solution on its own.</p> + +<p>To enable this, apply the following change in <code>conf/shiro.ini</code> under <code>[main]</code> section.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">### A sample for configuring Knox JWT Realm +knoxJwtRealm = org.apache.zeppelin.realm.jwt.KnoxJwtRealm +## Domain of Knox SSO +knoxJwtRealm.providerUrl = https://domain.example.com/ +## Url for login +knoxJwtRealm.login = gateway/knoxsso/knoxauth/login.html +## Url for logout +knoxJwtRealm.logout = gateway/knoxssout/api/v1/webssout +knoxJwtRealm.redirectParam = originalUrl +knoxJwtRealm.cookieName = hadoop-jwt +knoxJwtRealm.publicKeyPath = /etc/zeppelin/conf/knox-sso.pem +knoxJwtRealm.groupPrincipalMapping = group.principal.mapping +knoxJwtRealm.principalMapping = principal.mapping +# This is required if KNOX SSO is enabled, to check if "knoxJwtRealm.cookieName" cookie was expired/deleted. +authc = org.apache.zeppelin.realm.jwt.KnoxAuthenticationFilter +</code></pre></div> +<h3>HTTP SPNEGO Authentication</h3> + +<p>HTTP SPNEGO (Simple and Protected GSS-API NEGOtiation) is the standard way to support Kerberos Ticket based user authentication for Web Services. Based on <a href="https://hadoop.apache.org/docs/current/hadoop-auth/index.html";>Apache Hadoop Auth</a>, Zeppelin supports ability to authenticate users by accepting and validating their Kerberos Ticket.</p> + +<p>When HTTP SPNEGO Authentication is enabled for Zeppelin, the <a href="https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-common/GroupsMapping.html";>Apache Hadoop Groups Mapping</a> configuration will used internally to determine group membership of user who is trying to log in. Role-based access permission can be set based on groups as seen by Hadoop.</p> + +<p>To enable this, apply the following change in <code>conf/shiro.ini</code> under <code>[main]</code> section.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">krbRealm = org.apache.zeppelin.realm.kerberos.KerberosRealm +krbRealm.principal=HTTP/zeppelin.fqdn.domain....@example.com +krbRealm.keytab=/etc/security/keytabs/spnego.service.keytab +krbRealm.nameRules=DEFAULT +krbRealm.signatureSecretFile=/etc/security/http_secret +krbRealm.tokenValidity=36000 +krbRealm.cookieDomain=domain.com +krbRealm.cookiePath=/ +authc = org.apache.zeppelin.realm.kerberos.KerberosAuthenticationFilter +</code></pre></div> +<p>For above configuration to work, user need to do some more configurations outside Zeppelin.</p> + +<p>1). A valid SPNEGO keytab should be available on the Zeppelin node and should be readable by 'zeppelin' user. If there is a SPNEGO keytab already available (because of other Hadoop service), it can be reused here and no need to generate a new keytab. An example of working SPNEGO keytab could be: +``` +$ klist -kt /etc/security/keytabs/spnego.service.keytab +Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab +KVNO Timestamp Principal</p> + +<hr> + +<p>2 11/26/2018 16:58:38 HTTP/zeppelin.fqdn.domain....@example.com + 2 11/26/2018 16:58:38 HTTP/zeppelin.fqdn.domain....@example.com + 2 11/26/2018 16:58:38 HTTP/zeppelin.fqdn.domain....@example.com + 2 11/26/2018 16:58:38 HTTP/zeppelin.fqdn.domain....@example.com +<code> +and the keytab permission should be: (VERY IMPORTANT to not to set this to 777 or readable by all !!!): +</code> +$ ls -l /etc/security/keytabs/spnego.service.keytab +-r--r-----. 1 root hadoop 346 Nov 26 16:58 /etc/security/keytabs/spnego.service.keytab +``` +Above 'zeppelin' user happens to be member of 'hadoop' group.</p> + +<p>2). A secret signature file must be present on Zeppelin node (readable to 'zeppelin' user). This file contains the random binary numbers which is used to sign 'hadoop.auth' cookie, generated during SPNEGO exchange. If such a file is already generated and available on the Zeppelin node, it should be used rather than generating a new file.</p> + +<p>Commands to generate a secret signature file (if required): +<code> +dd if=/dev/urandom of=/etc/security/http_secret bs=1024 count=1 +chown hdfs:hadoop /etc/security/http_secret +chmod 440 /etc/security/http_secret +</code></p> + +<h2>Secure Cookie for Zeppelin Sessions (optional)</h2> + +<p>Zeppelin can be configured to set <code>HttpOnly</code> flag in the session cookie. With this configuration, Zeppelin cookies can +not be accessed via client side scripts thus preventing majority of Cross-site scripting (XSS) attacks.</p> + +<p>To enable secure cookie support via Shiro, add the following lines in <code>conf/shiro.ini</code> under <code>[main]</code> section, after +defining a <code>sessionManager</code>.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">cookie = org.apache.shiro.web.servlet.SimpleCookie +cookie.name = JSESSIONID +cookie.secure = true +cookie.httpOnly = true +sessionManager.sessionIdCookie = $cookie +</code></pre></div> +<h2>Secure your Zeppelin information (optional)</h2> + +<p>By default, anyone who defined in <code>[users]</code> can share <strong>Interpreter Setting</strong>, <strong>Credential</strong> and <strong>Configuration</strong> information in Apache Zeppelin. +Sometimes you might want to hide these information for your use case. +Since Shiro provides <strong>url-based security</strong>, you can hide the information by commenting or uncommenting these below lines in <code>conf/shiro.ini</code>.</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[urls] + +/api/interpreter/** = authc, roles[admin] +/api/configurations/** = authc, roles[admin] +/api/credential/** = authc, roles[admin] +</code></pre></div> +<p>In this case, only who have <code>admin</code> role can see <strong>Interpreter Setting</strong>, <strong>Credential</strong> and <strong>Configuration</strong> information. +If you want to grant this permission to other users, you can change <strong>roles[ ]</strong> as you defined at <code>[users]</code> section.</p> + +<h3>Apply multiple roles in Shiro configuration</h3> + +<p>By default, Shiro will allow access to a URL if only user is part of "<strong>all the roles</strong>" defined like this:</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[urls] + +/api/interpreter/** = authc, roles[admin, role1] +</code></pre></div> +<h3>Apply multiple roles or user in Shiro configuration</h3> + +<p>If there is a need that user with "<strong>any of the defined roles or user itself</strong>" should be allowed, then following Shiro configuration can be used:</p> +<div class="highlight"><pre><code class="text language-text" data-lang="text">[main] +anyofrolesuser = org.apache.zeppelin.utils.AnyOfRolesUserAuthorizationFilter + +[urls] + +/api/interpreter/** = authc, anyofrolesuser[admin, user1] +/api/configurations/** = authc, roles[admin] +/api/credential/** = authc, roles[admin] +</code></pre></div> +<p><br/></p> + +<blockquote> +<p><strong>NOTE :</strong> All of the above configurations are defined in the <code>conf/shiro.ini</code> file.</p> +</blockquote> + +<h2>FAQ</h2> + +<p>Zeppelin sever is configured as form-based authentication but is behind proxy configured as basic-authentication for example <a href="./authentication_nginx.html#http-basic-authentication-using-nginx">NGINX</a> and don't want Zeppelin-Server to clear authentication headers. </p> + +<blockquote> +<p>Set <code>zeppelin.server.authorization.header.clear</code> to <code>false</code> in zeppelin-site.xml</p> +</blockquote> + +<h2>Other authentication methods</h2> + +<ul> +<li><a href="./authentication_nginx.html">HTTP Basic Authentication using NGINX</a></li> +</ul> + + </div> +</div> + + + <hr> + <footer> + <!-- <p>© 2020 The Apache Software Foundation</p>--> + </footer> + </div> + + + + + <script type="text/javascript"> + (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ + (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), + m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) + })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); + + ga('create', 'UA-45176241-5', 'zeppelin.apache.org'); + ga('require', 'linkid', 'linkid.js'); + ga('send', 'pageview'); + +</script> + + + + </body> +</html> +
