[ZEPPELIN-987] Enable user to secure interpreter setting, credentials and configurations info

[AhyoungRyu]

What is this PR for?

For some user cases, people might want to hide Interpreter Setting, Credentials and Configurations information to other users (who are defined in conf/shiro.ini). So I added

#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]

below the [urls] section.

This issue was originally suggested at Zeppelin user mailing list by @TomNorden

What type of PR is it?

Improvement | Documentation

Todos

• - Add interpreter, credential and configuration url to conf/shiro.ini
• - Update shiroauthentication.md for this change
• - Redirect to home with ngToast error message when status is 401
• - Rebase after [ZEPPELIN-1054] Improve "Credentials" UI  #1100 merged and add error message to Credential menu as well

What is the Jira issue?

ZEPPELIN-987

How should this be tested?

1. Apply this patch and restart Zeppelin
2. Login with admin and password1
3. Go to interpreter, credential and configuration tab -> You can see all of the information in each tabs
4. Logout -> Login again with user1 and password2
5. Go to interpreter, credential and configuration tab -> In this time, you can't see all of the information in each tabs

Screenshots (if appropriate)

• When you login with user1 (doesn't have permission to see the interpreter, credential and cofiguration info)
  • interpreter menu
    
  • configuration menu
    
  • credential menu
    
• shiroauthentication.md
  

Questions:

• Does the licenses files need update? No
• Is there breaking changes for older versions? No
• Does this needs documentation? Yes, so I updated.

[prabhjyotsingh]

@AhyoungRyu is this still a work in progress ?
Is there a way in which we can go away with seeing all of these three munu i.e. Interpreter setting, Credentials and Configurations if user is not authorize to ?

Otherwise LGTM.

[AhyoungRyu]

@prabhjyotsingh No, I'm just waiting some reviews. I'm not sure that i understood your comment correctly,

Is there a way in which we can go away with seeing all of these three menu i.e. Interpreter setting, Credentials and Configurations if user is not authorize to ?

I just wanted to make even if some users are already defined in [users] section, the other user ( maybe admin) can hide the three information. This is the scope of this PR :)

[prabhjyotsingh]

I was thinking if all of these 3 Interpreter, Credentials, and Configuration menu can be hidden, like the way they are hidden in case of user not loggedin.

[AhyoungRyu]

@prabhjyotsingh Yeah it makes sense. It would be better. Let me figure out it then :)

[echarles]

@AhyoungRyu If you can come to an implementation that fits @prabhjyotsingh good idea, it would be great if you could make it generic, with a configurable list of functions that reflect in to the menu.

[AhyoungRyu]

@echarles Yes. Thanks for your suggestion ! :)

[corneadoug]

@AhyoungRyu Still working on this?
Could you rebase the branch with master?

[AhyoungRyu]

@prabhjyotsingh Sorry for my late response. Even if they don't have permission to those menus(Interpretes, Configurations and Credentials), i think they need to know the existence of the menus. So I added ngToast error message instead of totally hiding the menus. See the updated gif images in the PR description. What do you think?

[prabhjyotsingh]

Sure this will work. Thanks for the fix.

[prabhjyotsingh]

Can you add one more role admin i.e. admin = * here, so that other user can also use that role.

[AhyoungRyu]

@prabhjyotsingh Thanks for your feedback. I addressed it :)

[prabhjyotsingh]

LGTM!

[AhyoungRyu]

@prabhjyotsingh i'll rebase after #1100 merged and add the alert message to credential page as well :)

[AhyoungRyu]

@prabhjyotsingh Since #1100 was merged into master, I updated credential.controler.js.

[prabhjyotsingh]

Tested on both firefox and chrome. Works well. 👍

[prabhjyotsingh]

Merging this if no more discussion.