Author: moon
Date: Fri Mar 18 16:34:07 2016
New Revision: 1735636
URL: http://svn.apache.org/viewvc?rev=1735636&view=rev
Log:
https://github.com/apache/incubator-zeppelin/pull/775
Added:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-https.png
(with props)
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-request.png
(with props)
Modified:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/atom.xml
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/rss.xml
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html
Added:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-https.png
URL:
http://svn.apache.org/viewvc/incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-https.png?rev=1735636&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-https.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-request.png
URL:
http://svn.apache.org/viewvc/incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-request.png?rev=1735636&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-request.png
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified: incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/atom.xml
URL:
http://svn.apache.org/viewvc/incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/atom.xml?rev=1735636&r1=1735635&r2=1735636&view=diff
==============================================================================
--- incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/atom.xml (original)
+++ incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/atom.xml Fri Mar 18
16:34:07 2016
@@ -4,7 +4,7 @@
<title>Apache Zeppelin (incubating)</title>
<link href="http://zeppelin.incubator.apache.org/"; rel="self"/>
<link href="http://zeppelin.incubator.apache.org"/>
- <updated>2016-03-18T08:56:05-07:00</updated>
+ <updated>2016-03-18T09:33:39-07:00</updated>
<id>http://zeppelin.incubator.apache.org</id>
<author>
<name>The Apache Software Foundation</name>
Modified: incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/rss.xml
URL:
http://svn.apache.org/viewvc/incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/rss.xml?rev=1735636&r1=1735635&r2=1735636&view=diff
==============================================================================
--- incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/rss.xml (original)
+++ incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/rss.xml Fri Mar 18
16:34:07 2016
@@ -5,8 +5,8 @@
<description>Apache Zeppelin (incubating) - The Apache Software
Foundation</description>
<link>http://zeppelin.incubator.apache.org</link>
<link>http://zeppelin.incubator.apache.org</link>
- <lastBuildDate>2016-03-18T08:56:05-07:00</lastBuildDate>
- <pubDate>2016-03-18T08:56:05-07:00</pubDate>
+ <lastBuildDate>2016-03-18T09:33:39-07:00</lastBuildDate>
+ <pubDate>2016-03-18T09:33:39-07:00</pubDate>
<ttl>1800</ttl>
Modified:
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html
URL:
http://svn.apache.org/viewvc/incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html?rev=1735636&r1=1735635&r2=1735636&view=diff
==============================================================================
---
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html
(original)
+++
incubator/zeppelin/site/docs/0.6.0-incubating-SNAPSHOT/security/authentication.html
Fri Mar 18 16:34:07 2016
@@ -179,6 +179,111 @@ limitations under the License.
<p>One option is to use <a
href="https://en.wikipedia.org/wiki/Basic_access_authentication";>Basic Access
Authentication</a></p>
+<h3>HTTP Basic Authentication using NGINX</h3>
+
+<blockquote>
+<p><strong>Quote from Wikipedia:</strong> NGINX is a web server. It can act as
a reverse proxy server for HTTP, HTTPS, SMTP, POP3, and IMAP protocols, as well
as a load balancer and an HTTP cache.</p>
+</blockquote>
+
+<p>So you can use NGINX server as proxy server to serve HTTP Basic
Authentication as a separate process along with Zeppelin server.
+Here are instructions how to accomplish the setup NGINX as a front-end
authentication server and connect Zeppelin at behind.</p>
+
+<p>This instruction based on Ubuntu 14.04 LTS but may work with other OS with
few configuration changes.</p>
+
+<ol>
+<li><p>Install NGINX server on your server instance</p>
+
+<p>You can install NGINX server with same machine where zeppelin installed or
separate machine where it is dedicated to serve as proxy server.</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text">$ apt-get install nginx
+</code></pre></div></li>
+<li><p>Setup init script in NGINX</p>
+
+<p>In most cases, NGINX configuration located under
<code>/etc/nginx/sites-available</code>. Create your own configuration or add
your existing configuration at <code>/etc/nginx/sites-available</code>.</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text">$ cd /etc/nginx/sites-available
+$ touch my-basic-auth
+</code></pre></div>
+<p>Now add this script into <code>my-basic-auth</code> file. You can comment
out <code>optional</code> lines If you want serve Zeppelin under regular HTTP
80 Port.</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text">upstream zeppelin {
+ server [YOUR-ZEPPELIN-SERVER-IP]:8090;
+}
+
+upstream zeppelin-wss {
+ server [YOUR-ZEPPELIN-SERVER-IP]:8091;
+}
+
+# Zeppelin Website
+server {
+ listen [YOUR-ZEPPELIN-WEB-SERVER-PORT];
+ listen 443 ssl; # optional, to serve HTTPS connection
+ server_name [YOUR-ZEPPELIN-SERVER-HOST]; # for example:
zeppelin.mycompany.com
+
+ ssl_certificate [PATH-TO-YOUR-CERT-FILE]; # optional, to serve
HTTPS connection
+ ssl_certificate_key [PATH-TO-YOUR-CERT-KEY-FILE]; # optional, to serve
HTTPS connection
+
+ if ($ssl_protocol = "") {
+ rewrite ^ https://$host$request_uri? permanent; # optional,
force to use HTTPS
+ }
+
+ location / {
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-NginX-Proxy true;
+ proxy_pass http://zeppelin;
+ proxy_redirect off;
+ auth_basic "Restricted";
+ auth_basic_user_file /etc/nginx/.htpasswd;
+ }
+}
+
+# Zeppelin Websocket
+server {
+ listen [YOUR-ZEPPELIN-WEBSOCKET-PORT] ssl; # add ssl is optional, to
serve HTTPS connection
+ server_name [YOUR-ZEPPELIN-SERVER-HOST]; # for example:
zeppelin.mycompany.com
+
+ ssl_certificate [PATH-TO-YOUR-CERT-FILE]; # optional, to serve
HTTPS connection
+ ssl_certificate_key [PATH-TO-YOUR-CERT-KEY-FILE]; # optional, to serve
HTTPS connection
+
+ location / {
+ proxy_pass http://zeppelin-wss;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade websocket;
+ proxy_set_header Connection upgrade;
+ proxy_read_timeout 86400;
+ }
+}
+</code></pre></div>
+<p>Then make a symbolic link to this file from
<code>/etc/nginx/sites-enabled/</code> to enable configuration above when NGINX
reloads.</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text">$ ln -s /etc/nginx/sites-enabled/my-basic-auth
/etc/nginx/sites-available/my-basic-auth
+</code></pre></div></li>
+<li><p>Setup user credential into <code>.htpasswd</code> file and restart
server</p>
+
+<p>Now you need to setup <code>.htpasswd</code> file to serve list of
authenticated user credentials for NGINX server.</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text">$ cd /etc/nginx
+$ htpasswd -c htpasswd [YOUR_ID]
+$ NEW passwd: [YOUR_PASSWORD]
+$ RE-type new passwd: [YOUR_PASSWORD_AGAIN]
+</code></pre></div>
+<p>Or you can use your own apache <code>.htpasswd</code> files in other
location by setup property <code>auth_basic_user_file</code></p>
+
+<p>Restart NGINX server.</p>
+<div class="highlight"><pre><code class="text language-text"
data-lang="text">$ service nginx restart
+</code></pre></div>
+<p>Then check HTTP Basic Authentication works in browser. If you can see
regular basic auth popup and then able to login with credential you entered
into <code>.htpasswd</code> you are good to go.</p>
+
+<p><img
src="/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-request.png"
/>
+<img
src="/assets/themes/zeppelin/img/screenshots/authentication-basic-auth-nginx-https.png"
/></p></li>
+<li><p>More security consideration</p></li>
+</ol>
+
+<ul>
+<li>Using HTTPS connection with Basic Authentication is highly recommended
since basic auth without encryption may expose your important credential
information over the network.</li>
+<li>Using <a
href="https://github.com/apache/incubator-zeppelin/blob/master/SECURITY-README.md";>Shiro
Security feature built-into Zeppelin</a> is recommended if you prefer
all-in-one solution for authentication but NGINX may provides ad-hoc solution
for re-use authentication served by your system's NGINX server or in case
of you need to separate authentication from zeppelin server.</li>
+<li>It is recommended to isolate direct connection to Zeppelin server from
public internet or external services to secure your zeppelin instance from
unexpected attack or problems caused by public zone.</li>
+</ul>
+
+<h3>Another option</h3>
+
<p>Another option is to have an authentication server that can verify user
credentials in an LDAP server.
If an incoming request to the Zeppelin server does not have a cookie with user
information encrypted with the authentication server public key, the user
is redirected to the authentication server. Once the user is verified, the
authentication server redirects the browser to a specific
