[GitHub] zeppelin pull request #1694: [ZEPPELIN-1718] Prevent anonymous user to set n...

[asfgit]

Github user asfgit closed the pull request at:

https://github.com/apache/zeppelin/pull/1694


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #1694: [ZEPPELIN-1718] Prevent anonymous user to set n...

[AhyoungRyu]

GitHub user AhyoungRyu reopened a pull request:

https://github.com/apache/zeppelin/pull/1694

[ZEPPELIN-1718] Prevent anonymous user to set note permission

### What is this PR for?
Currently anonymous user can open the notebook permission page and type sth 
in `Owner`/ `Reader` / `Writer` and then even can save it. However, in fact, it 
doesn't work actually. 

e.g.  An anonymous user can type `admin` / `user1` to the note permission 
setting fields.

It doesn't make sense. At least we should disallow the non-authenticated 
users(a.k.a anonymous users) by deactivating those permission related 
features(will handle interpreter user setting in another PR). So what I did in 
this PR is
 - Hide note authorization setting fields with notice sentence in dialog & 
add related docs link: 
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/notebook_authorization.html

### What type of PR is it?
Bug Fix | Improvement

### What is the Jira issue?
[ZEPPELIN-1718](https://issues.apache.org/jira/browse/ZEPPELIN-1718)

### How should this be tested?

### Screenshots (if appropriate)
 - Doesn't show note permission setting page & show warning dialog if 
anonymous user tries to click lock icon

![block](https://cloud.githubusercontent.com/assets/10060731/21294995/696ae582-c58e-11e6-912c-76a590d19e75.gif)


### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/AhyoungRyu/zeppelin prevent-anon-user

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/1694.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1694


commit 06c632641afcddf57d1b1a15248876c88fbbb8fe
Author: AhyoungRyu 
Date:   2016-12-18T16:00:21Z

Block anonymous user to set the note permission

commit b59771c0bfa44c352c6d2044599063a93f48a227
Author: AhyoungRyu 
Date:   2016-12-18T16:35:36Z

Remove useless div block




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #1694: [ZEPPELIN-1718] Prevent anonymous user to set n...

[AhyoungRyu]

Github user AhyoungRyu closed the pull request at:

https://github.com/apache/zeppelin/pull/1694


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #1694: [ZEPPELIN-1718] Prevent anonymous user to set n...

[AhyoungRyu]

GitHub user AhyoungRyu reopened a pull request:

https://github.com/apache/zeppelin/pull/1694

[ZEPPELIN-1718] Prevent anonymous user to set note permission / interpreter 
owner

### What is this PR for?
Currently anonymous user can set note permission / interpreter's owner like 
below

e.g. 
 - An anonymous user can type `admin` / `user1` to the note permission 
setting fields. (but it doesn't work actually)
 - The anonymous user can remove predefined `Owners` in the interpreter 
menu by editing it since we don't check the user's principal for this.

It doesn't make sense actually. At least we should disallow the 
non-authenticated users by deactivating those permission related features. So 
what I did in this PR is
 - "Set permission" checkbox for interpreter owner setting with notice 
sentence & related docs link: 
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/shiroauthentication.html#security-setup
 - Hide note authorization setting fields with notice sentence & related 
docs link: 
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/notebook_authorization.html

### What type of PR is it?
Bug Fix | Improvement

### Todos
- [ ] disallow anon users to edit all the other interpreter properties : 
not only "Set permissions" but also ...

### What is the Jira issue?
[ZEPPELIN-1718](https://issues.apache.org/jira/browse/ZEPPELIN-1718)

### How should this be tested?

### Screenshots (if appropriate)
 - Hide authorization setting fields for anon user in the note
https://cloud.githubusercontent.com/assets/10060731/20671445/c0553240-b5c0-11e6-8fe8-21ba4f4ae1dc.gif;>

 - Disable "Set permission" checkbox to anon user in the interpreter 
creation page
https://cloud.githubusercontent.com/assets/10060731/20671464/cf1beb5c-b5c0-11e6-8faf-47a73b0ebf38.png;>

 - Disable "Set permission" checkbox to anon user in the interpreter 
setting update page 
https://cloud.githubusercontent.com/assets/10060731/20671496/e548cf44-b5c0-11e6-9148-63946829db27.gif;>

### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/AhyoungRyu/zeppelin prevent-anon-user

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/1694.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1694


commit b59c22b0c4e71c158ffed4bd48d728059ad6077e
Author: AhyoungRyu 
Date:   2016-11-27T16:46:20Z

Prevent to set permission by anonymous user

commit 465a58547f0e383bddced37b294546f5ac1dc165
Author: AhyoungRyu 
Date:   2016-11-28T08:31:49Z

Remove some redundant parts

commit 29a0a08696215dc85bda467f80b0163ee671d35f
Author: AhyoungRyu 
Date:   2016-11-28T10:17:40Z

Revert again




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zeppelin pull request #1694: [ZEPPELIN-1718] Prevent anonymous user to set n...

[AhyoungRyu]

GitHub user AhyoungRyu opened a pull request:

https://github.com/apache/zeppelin/pull/1694

[ZEPPELIN-1718] Prevent anonymous user to set note permission / interpreter 
owner

### What is this PR for?
Currently anonymous user can set note permission / interpreter's owner like 
below

e.g. 
 - An anonymous user can type `admin` / `user1` to the note permission 
setting fields. (but it doesn't work actually)
 - The anonymous user can remove predefined `Owners` in the interpreter 
menu by editing it since we don't check the user's principal for this.

It doesn't make sense actually. At least we should disallow the 
non-authenticated users by deactivating those permission related features. So 
what I did in this PR is
 - "Set permission" checkbox for interpreter owner setting with notice 
sentence & related docs link: 
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/shiroauthentication.html#security-setup
 - Hide note authorization setting fields with notice sentence & related 
docs link: 
https://zeppelin.apache.org/docs/0.7.0-SNAPSHOT/security/notebook_authorization.html

### What type of PR is it?
Bug Fix | Improvement

### Todos
- [ ] disallow anon users to edit all the other interpreter properties : 
not only "Set permissions" but also ...

### What is the Jira issue?
[ZEPPELIN-1718](https://issues.apache.org/jira/browse/ZEPPELIN-1718)

### How should this be tested?

### Screenshots (if appropriate)
 - Hide authorization setting fields for anon user in the note
https://cloud.githubusercontent.com/assets/10060731/20671445/c0553240-b5c0-11e6-8fe8-21ba4f4ae1dc.gif;>

 - Disable "Set permission" checkbox to anon user in the interpreter 
creation page
https://cloud.githubusercontent.com/assets/10060731/20671464/cf1beb5c-b5c0-11e6-8faf-47a73b0ebf38.png;>

 - Disable "Set permission" checkbox to anon user in the interpreter 
setting update page 
https://cloud.githubusercontent.com/assets/10060731/20671496/e548cf44-b5c0-11e6-9148-63946829db27.gif;>

### Questions:
* Does the licenses files need update? no
* Is there breaking changes for older versions? no
* Does this needs documentation? no


You can merge this pull request into a Git repository by running:

$ git pull https://github.com/AhyoungRyu/zeppelin prevent-anon-user

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/zeppelin/pull/1694.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1694


commit b59c22b0c4e71c158ffed4bd48d728059ad6077e
Author: AhyoungRyu 
Date:   2016-11-27T16:46:20Z

Prevent to set permission by anonymous user

commit 465a58547f0e383bddced37b294546f5ac1dc165
Author: AhyoungRyu 
Date:   2016-11-28T08:31:49Z

Remove some redundant parts

commit 29a0a08696215dc85bda467f80b0163ee671d35f
Author: AhyoungRyu 
Date:   2016-11-28T10:17:40Z

Revert again




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---