Peter Lee created ZEPPELIN-5709:
-----------------------------------
Summary: AuthorizationService.isRunner always return true if
there's no user/roles info in context
Key: ZEPPELIN-5709
URL: https://issues.apache.org/jira/browse/ZEPPELIN-5709
Project: Zeppelin
Issue Type: Improvement
Reporter: Peter Lee
Hey dear Zeppelin maintainers, I'm new to Zeppelin.
I'm testing with localhost and found that _AuthorizationService.isRunner_ will
always return true if _context.getUserAndRoles()_ is empty.
After some digging I found that it's caused by _AuthorizationService.isMember:_
{code:java}
// return true if b is empty or if (a intersection b) is non-empty
private boolean isMember(Set<String> a, Set<String> b) {
Set<String> intersection = new HashSet<>(b);
intersection.retainAll(a);
return (b.isEmpty() || (intersection.size() > 0));
} {code}
The current implementation of _isMember_ will return true if _Set<String> b_ is
empty. In my case the variable _b_ is exactly the _context.getUserAndRoles()_ .
As I'm new to Zeppelin, I am not clear why it's like this. IMHO the _isMember_
should return false if _b_ is empty.
Besides that, I'm not clear the meaning of Reader/Writer/Runner. Is this
implementation something like linux's w/r/x authorization implementation?
I'm asking this because I found that the Reader requires more authorization
than the Runner did. And I'm curious why it's designed like this. :)
{code:java}
public boolean isReader(String noteId, Set<String> entities) {
return isMember(entities, getReaders(noteId)) ||
isMember(entities, getOwners(noteId)) ||
isMember(entities, getWriters(noteId)) ||
isMember(entities, getRunners(noteId)) ||
isAdmin(entities);
}
public boolean isRunner(String noteId, Set<String> entities) {
return isMember(entities, getRunners(noteId)) ||
isMember(entities, getWriters(noteId)) ||
isMember(entities, getOwners(noteId)) ||
isAdmin(entities);
} {code}
Thank you guys for maintaining such a great repo.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
