[ZEPPELIN-2647] Bypass auth logic when a user logins as admin role

[yu74n]

What is this PR for?

For administrator, make new admin role that assigned user can see all notebooks.

What type of PR is it?

Improvement

What is the Jira issue?

https://issues.apache.org/jira/browse/ZEPPELIN-2647

How should this be tested?

1. Set role name to use as admin through ZEPPELIN_OWNER_ROLE = or zeppelin.owner.role = .
   Default role name is admin
2. Login as user who is not assigned as admin and create notebook.
3. Logout the user and login another user who is assigned as admin, open the created notebook.

Questions:

• Does the licenses files need update? N
• Is there breaking changes for older versions? Y/N
• Does this needs documentation? Y

[yu74n]

continued from #2525 #2416

[1ambda]

Thanks for the contribution @yu74n
Looks Good to Me. Let me test more cases and then left feedback soon.

[felixcheung]

I feel the property name might not be very intuitive, how about calling it zeppelin.notebook.default.owner.username or something similar?

[yu74n]

Thank you for reviewing. It would be better, I think too. I'll fix it.

[1ambda]

LGTM.

[1ambda]

I wanted to merge now. But cound't find the build history.

• https://builds.apache.org/job/zeppelin-pull-request/2960/

@yu74n if you don't mind close and reopen this issue to trigger jenkins?

[yu74n]

@1ambda Sure. I've done that

[1ambda]

The 3/4 jobs failed. Please rebase this PR based on master. And Could you resolve them?

• https://travis-ci.org/yu74n/zeppelin/jobs/279807406
• https://travis-ci.org/yu74n/zeppelin/jobs/279807407

[yu74n]

I rebased and ran test again, but this test is still failed.
https://travis-ci.org/yu74n/zeppelin/jobs/286508544

I think probably my PR doesn't affect the test.
I ran test several times, but failed tests were changed each time.

[1ambda]

Hi, Thanks for rebasing and testing. But this recent PR passed the CI.
If you don't mind please re-run few more times and check the failure reasons for every trial?

If we can verify it's a flaky test, we can merge, but without evidence, we can't do that.

[felixcheung]

not sure this is related to this PR but not clear how this test can fail

  InterpreterModeActionsIT.testPerUserScopedAction:564 The number of python process is
Expected: "2"
     but: was "1"

[yu74n]

Rerun all tests.
'testPerUserScopedAction' is passed this time, but other 4 tests are failed.
These 4 tests were passed before.

ZeppelinSparkClusterTest.pySparkDepLoaderTest:478 expected:<FINISHED> but was:<ERROR>
ZeppelinSparkClusterTest.pySparkAutoConvertOptionTest:358 expected:<FINISHED> but was:<ERROR>
ZeppelinSparkClusterTest.pySparkTest:259 expected:<FINISHED> but was:<ERROR>
ZeppelinSparkClusterTest.sparkRTest:209 expected:<[[1] 3]> but was:<[<pre><code>Error in invokeJava(isStatic = TRUE, className, methodName, ...): java.lang.IllegalStateException: Cannot call methods on a stopped SparkContext.

[yu74n]

All tests are passed, but NotebookTest has an error.
java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: java.net.SocketException: Connection reset

[yu74n]

and rerun the failed travis job manually, the job is passed.
https://travis-ci.org/yu74n/zeppelin/jobs/295676369

[yu74n]

What do you think about that? @1ambda @felixcheung

[felixcheung]

btw, what if zeppelin.notebook.default.owner.username is unset or set to ""?

[yu74n]

@felixcheung if unset zeppelin.notebook.default.owner.username, set 'admin' as default value.
https://github.com/apache/zeppelin/pull/2585/files#diff-179ea3a816210bb9904baabec1a552e4R716

[felixcheung]

hmm, ok if it has

  <name>zeppelin.notebook.default.owner.username</name>
   <value></value>

?

[yu74n]

@felixcheung
I've changed default value is blank.
if set blank as zeppelin.notebook.default.owner.username, disable admin role.

[felixcheung]

ok, could you explain how

if set blank as zeppelin.notebook.default.owner.username, disable admin role.

?
I think also it'll be good to match template to the default value

[yu74n]

if set blank as default owner username, apply blank('') to the admin role. but, I think, a user cannot set blank as login user name. so nearly equal as disable admin role.
if a user would create blank user or blank role, the user can access all notebooks though.

[felixcheung]

hmm, since this is around security perhaps we need to be more careful?
how about we add a check for the owner username is valid (at least not "") and not add to the admin role if it is not valid?

[yu74n]

Actually, I thought so too when I explained how if the owner name is blank. I've fixed that.
I've changed config template to be disable admin role.
Could you review that again?
@felixcheung

[felixcheung]

btw, did we say this isn't just for private mode any more?

[yu74n]

oops, You are right. This is for both public and private. I've fixed it.

[felixcheung]

please use org.apache.commons.lang.StringUtils IsBlank()

[yu74n]

Thanks, fixed it.

[felixcheung]

could you check if it's related? https://travis-ci.org/yu74n/zeppelin/builds/299517426

[felixcheung]

LGTM pending tests

[yu74n]

CI failed at testRunOnSelectionChange()

java.lang.AssertionError: Even if 'RunOnSelectionChange' is set as false, still can run the paragraph by pressing ENTER 
Expected: "My selection is 1"
but: was "My selection is 2"

This test is related to 'Run on selection change' checkbox in paragraph menu.
I think the reason why that test is failed would be timing error, cause of the test code ran the paragraph before the checkbox was unchecked. Then I think the test is not related to my PR.

I rerun the CI job manually, all tests are passed.
https://travis-ci.org/yu74n/zeppelin/builds/299517426

[felixcheung]

ok thanks

[felixcheung]

merging if no more comment