Peter Lee created ZEPPELIN-5709: ----------------------------------- Summary: AuthorizationService.isRunner always return true if there's no user/roles info in context Key: ZEPPELIN-5709 URL: https://issues.apache.org/jira/browse/ZEPPELIN-5709 Project: Zeppelin Issue Type: Improvement Reporter: Peter Lee
Hey dear Zeppelin maintainers, I'm new to Zeppelin. I'm testing with localhost and found that _AuthorizationService.isRunner_ will always return true if _context.getUserAndRoles()_ is empty. After some digging I found that it's caused by _AuthorizationService.isMember:_ {code:java} // return true if b is empty or if (a intersection b) is non-empty private boolean isMember(Set<String> a, Set<String> b) { Set<String> intersection = new HashSet<>(b); intersection.retainAll(a); return (b.isEmpty() || (intersection.size() > 0)); } {code} The current implementation of _isMember_ will return true if _Set<String> b_ is empty. In my case the variable _b_ is exactly the _context.getUserAndRoles()_ . As I'm new to Zeppelin, I am not clear why it's like this. IMHO the _isMember_ should return false if _b_ is empty. Besides that, I'm not clear the meaning of Reader/Writer/Runner. Is this implementation something like linux's w/r/x authorization implementation? I'm asking this because I found that the Reader requires more authorization than the Runner did. And I'm curious why it's designed like this. :) {code:java} public boolean isReader(String noteId, Set<String> entities) { return isMember(entities, getReaders(noteId)) || isMember(entities, getOwners(noteId)) || isMember(entities, getWriters(noteId)) || isMember(entities, getRunners(noteId)) || isAdmin(entities); } public boolean isRunner(String noteId, Set<String> entities) { return isMember(entities, getRunners(noteId)) || isMember(entities, getWriters(noteId)) || isMember(entities, getOwners(noteId)) || isAdmin(entities); } {code} Thank you guys for maintaining such a great repo. -- This message was sent by Atlassian Jira (v8.20.1#820001)