New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ZEPPELIN-2647] Bypass auth logic when a user logins as admin role #2585
Conversation
Thanks for the contribution @yu74n |
conf/zeppelin-site.xml.template
Outdated
@@ -384,6 +384,12 @@ | |||
</property> | |||
|
|||
<property> | |||
<name>zeppelin.owner.role</name> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel the property name might not be very intuitive, how about calling it zeppelin.notebook.default.owner.username
or something similar?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for reviewing. It would be better, I think too. I'll fix it.
84556a5
to
0dd1d72
Compare
LGTM. |
I wanted to merge now. But cound't find the build history. @yu74n if you don't mind close and reopen this issue to trigger jenkins? |
@1ambda Sure. I've done that |
The 3/4 jobs failed. Please rebase this PR based on master. And Could you resolve them? |
0dd1d72
to
cfcea0d
Compare
I rebased and ran test again, but this test is still failed. I think probably my PR doesn't affect the test. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure this is related to this PR but not clear how this test can fail
InterpreterModeActionsIT.testPerUserScopedAction:564 The number of python process is
Expected: "2"
but: was "1"
cfcea0d
to
c461608
Compare
Rerun all tests.
|
c461608
to
98a9de0
Compare
All tests are passed, but NotebookTest has an error. |
and rerun the failed travis job manually, the job is passed. |
What do you think about that? @1ambda @felixcheung |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, what if zeppelin.notebook.default.owner.username
is unset or set to ""?
@felixcheung if unset zeppelin.notebook.default.owner.username, set 'admin' as default value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, ok if it has
<name>zeppelin.notebook.default.owner.username</name>
<value></value>
?
@felixcheung |
ok, could you explain how
? |
if set blank as default owner username, apply blank('') to the admin role. but, I think, a user cannot set blank as login user name. so nearly equal as disable admin role. |
hmm, since this is around security perhaps we need to be more careful? |
Actually, I thought so too when I explained how if the owner name is blank. I've fixed that. |
conf/zeppelin-site.xml.template
Outdated
@@ -394,6 +394,12 @@ | |||
</property> | |||
|
|||
<property> | |||
<name>zeppelin.notebook.default.owner.username</name> | |||
<value></value> | |||
<description>Set owner role by default in private mode</description> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, did we say this isn't just for private mode any more?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, You are right. This is for both public and private. I've fixed it.
|
||
private boolean isAdmin(Set<String> entities) { | ||
String adminRole = conf.getString(ConfVars.ZEPPELIN_OWNER_ROLE); | ||
if (adminRole.isEmpty()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use org.apache.commons.lang.StringUtils IsBlank()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, fixed it.
could you check if it's related? https://travis-ci.org/yu74n/zeppelin/builds/299517426 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM pending tests
CI failed at testRunOnSelectionChange() java.lang.AssertionError: Even if 'RunOnSelectionChange' is set as false, still can run the paragraph by pressing ENTER
Expected: "My selection is 1"
but: was "My selection is 2" This test is related to 'Run on selection change' checkbox in paragraph menu. I rerun the CI job manually, all tests are passed. |
ok thanks |
merging if no more comment |
For administrator, make new admin role that assigned user can see all notebooks. Improvement https://issues.apache.org/jira/browse/ZEPPELIN-2647 1. Set role name to use as admin through ZEPPELIN_OWNER_ROLE = <role name> or zeppelin.owner.role = <role name>. Default role name is admin 2. Login as user who is not assigned as admin and create notebook. 3. Logout the user and login another user who is assigned as admin, open the created notebook. * Does the licenses files need update? N * Is there breaking changes for older versions? Y/N * Does this needs documentation? Y Author: Yuta Hongo <yutago@gmail.com> Closes apache#2585 from yu74n/bypass-auth-logic and squashes the following commits: c706302 [Yuta Hongo] Use StringUtils isBlank() f6c6345 [Yuta Hongo] Remove description mentioned about private mode c6e1382 [Yuta Hongo] Disable admin role by default 0170b3f [Yuta Hongo] Check if admin role is valid or not 532a49f [Yuta Hongo] Set blank as default.owner.username default value 98a9de0 [Yuta Hongo] Rename property name 26b818c [Yuta Hongo] Make admin role to bypass auth logic
What is this PR for?
For administrator, make new admin role that assigned user can see all notebooks.
What type of PR is it?
Improvement
What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2647
How should this be tested?
Default role name is admin
Questions: