GitHub user anthonycorbacho reopened a pull request: https://github.com/apache/zeppelin/pull/1567
[ZEPPELIN-1586] Add security check in NotebookRestApi ### What is this PR for? Bring some security check in `NotebookRestApi`. ### What type of PR is it? [Bug Fix | Improvement | Refactoring] ### Todos - [x] - Create a proper way to throw webapp error - [x] - Add in `NotebookAuthorization` some method to check if user is owner, reader or writer - [ ] - Add Authorization check in `NotebookRestapi` ### What is the Jira issue? - [ZEPPELIN-1586](https://issues.apache.org/jira/browse/ZEPPELIN-1586) ### How should this be tested? First, force Zeppelin to use auth. - In `conf/zeppelin-site.xml` change `zeppelin.anonymous.allowed` to **false** ``` <property> <name>zeppelin.anonymous.allowed</name> <value>false</value> <description>Anonymous user allowed by default</description> </property> ``` - In `conf/shiro.ini` set Shiro to use `Auth` at the end of the file ``` #/** = anon /** = authc ``` - Start Zeppelin, login and set some permission to a note - try to get a note from Zeppelin Rest Api `http://localhost:8080/api/notebook/{noteId}` (you can use your browser or curl (if you use curl please add shiro token to curl cookie)) ### Screenshots (if appropriate) ![note_permission_rest_api](https://cloud.githubusercontent.com/assets/3139557/19827600/ffd68a06-9dea-11e6-8dd5-43f3bd401011.gif) ### Questions: - Does the licenses files need update? No - Is there breaking changes for older versions? No - Does this needs documentation? Maybe You can merge this pull request into a Git repository by running: $ git pull https://github.com/anthonycorbacho/incubator-zeppelin fix/ZEPPELIN-1586 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/zeppelin/pull/1567.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1567 ---- commit a69a4e10c46452dcaaf8174c37e51705d6bc3214 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T05:49:10Z Add new method on ZeppelinConfiguration to get is zeppelin is running on anonimous mode or not commit 859fba52799bc1690b0726dc6dc672f9c4b016a7 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T07:22:13Z Add new method to help to determinate if user is part of writer and/or owner for the given note commit 67c63148233c0bf31715c9d97b37f4702fb3d2e6 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T09:56:04Z Add new method to check if user and roles are member of the note (at least owner, reader, writer) commit 43ec38932300db156a602507ae82a34a0b416257 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T09:57:06Z Replace check of aninonimous by method commit 860f4b4ff789ac7087932920f71a73b30cbc9ba8 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T11:19:32Z Add webapp exception handler :) commit 01bec7ae0ece70fe5eed6f068bc40b4cc61ffd8d Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-28T11:19:54Z Handle security check commit c0b98ffe2f1a3c4ee005ffe8b376bdc507eab2f0 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-10-29T05:58:04Z Rename permission check note :: be more meaningful commit a1cc1b81bd8f69f068803e6e87d110805905a039 Author: Anthony Corbacho <corbacho.anth...@gmail.com> Date: 2016-11-01T03:33:20Z Change cxf version from 2.7.7 to 2.7.8 to avoid method not found where throw WebAppException ---- --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---