This is an automated email from the ASF dual-hosted git repository. zjffdu pushed a commit to branch gh-pages in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/gh-pages by this push: new e1e50b28c6 Zeppelin Security page (#4478) e1e50b28c6 is described below commit e1e50b28c6125b94d01b122b471f5a18cff30d35 Author: Arnout Engelen <arn...@bzzt.net> AuthorDate: Wed Oct 19 10:09:07 2022 +0200 Zeppelin Security page (#4478) --- _includes/themes/zeppelin/_navigation.html | 1 + security.md | 76 ++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) diff --git a/_includes/themes/zeppelin/_navigation.html b/_includes/themes/zeppelin/_navigation.html index a77c5d6e94..e0510247f2 100644 --- a/_includes/themes/zeppelin/_navigation.html +++ b/_includes/themes/zeppelin/_navigation.html @@ -33,6 +33,7 @@ <li><a href="/docs/0.9.0">0.9.0</a></li> <li><a href="/docs/0.8.2">0.8.2</a></li> <li><a href="documentation.html">Older Versions</a></li> + <li class="title"><span><b><a href="security.html">Security</a></b><span></li> </ul> </li> diff --git a/security.md b/security.md new file mode 100644 index 0000000000..912b08e354 --- /dev/null +++ b/security.md @@ -0,0 +1,76 @@ +# Zeppelin Security + +This page explains what security characteristics can be expected from +Zeppelin, what measures operators of a Zeppelin instance will have to +take, and how to report any security issues found in the Zeppelin +software. + +## Code execution on the server + +It is the nature of the Zeppelin software that it allows +uploading code from the browser and executing it on the server. + +Because of this, you should make sure your Zeppelin instance is only +available to trusted users, and the server on which Zeppelin is +installed does not contain any secrets or have privileges beyond +those the users are trusted with. + +### Zeppelin on Docker + +An exception to the above is when the Zeppelin interpreter +is [run in a Docker container](https://zeppelin.apache.org/docs/latest/quickstart/docker.html). +This isolates the operating environment of the interpreter through the docker container. + +### Zeppelin on Kubernetes + +A similar exception exists when Zeppelin is +[deployed on Kubernetes](https://zeppelin.apache.org/docs/latest/quickstart/kubernetes.html). +In this case Zeppelin creates pods for individual interpreters, +and also the Spark interpreter is auto configured to use Spark +on Kubernetes in client mode. + +## JavaScript code execution in the browser + +Zeppelin allows notes to produce rich output, including HTML and even +executing JavaScript code. This means that when users view each others' +notes, HTML and JavaScript controlled by the creator of the note will +be executed in the browser that views it. + +Because of this, you should make sure your Zeppelin instance is only +available to trusted users. When deploying Zeppelin on a domain that +is shared with other applications, appropriate measures may have to be +taken to avoid a compromised Zeppelin notebook to also grant access +to other services on the same domain. + +## Authentication + +If you expose your Zeppelin instance on a network you don't fully trust, +you should configure [Apache Shiro authentication](https://zeppelin.apache.org/docs/latest/setup/security/shiro_authentication.html). + +Non-authenticated users cannot view, store or execute notes, so they +cannot execute code on the server or on other users' browsers. +Authenticated users, however, have the same access as described above, +so even when using authentication it is still important to only give +trusted users access to Zeppelin. Specifically, unless Docker or K8s +isolation has been configured as mentioned above, users technically +have access to all notes by other users. + +# Reporting security issues + +If you have found a potential security issue in Zeppelin, +such as a way to bypass the Shiro authentication, +we encourage you to report this problem at +[secur...@zeppelin.apache.org](mailto:secur...@zeppelin.apache.org). +This is a private mailing list. Please send one plain-text email +for each vulnerability you are reporting. + +## Vulnerability handling + +An overview of the vulnerability handling process is: + +* The reporter reports the vulnerability privately to [secur...@zeppelin.apache.org](mailto:secur...@zeppelin.apache.org). +* The Zeppelin project security team works privately with the reporter to resolve the vulnerability. +* The Zeppelin project creates a new release of the package the vulnerabilty affects to deliver its fix. +* The Zeppelin project publicly announces the vulnerability and describes how to apply the fix. + +Committers should read a [more detailed description of the process](https://www.apache.org/security/committers.html). Reporters of security vulnerabilities may also find it useful.