|
15 | 15 | * limitations under the License. |
16 | 16 | */ |
17 | 17 |
|
18 | | -#Shiro Authentication |
| 18 | +# Shiro Authentication |
19 | 19 | To connect to Zeppelin, users will be asked to enter their credentials. Once logged, a user has access to all notes including other users notes. |
20 | 20 | This a a first step toward full security as implemented by this pull request (https://github.com/apache/incubator-zeppelin/pull/53). |
21 | 21 |
|
22 | | -#Security setup |
| 22 | +# Security setup |
23 | 23 | 1. Secure the HTTP channel: Comment the line "/** = anon" and uncomment the line "/** = authcBasic" in the file conf/shiro.ini. Read more about he shiro.ini file format at the following URL http://shiro.apache.org/configuration.html#Configuration-INISections. |
24 | 24 | 2. Secure the Websocket channel : Set to property "zeppelin.anonymous.allowed" to "false" in the file conf/zeppelin-site.xml. You can start by renaming conf/zeppelin-site.xml.template to conf/zeppelin-site.xml |
25 | 25 | 3. Start Zeppelin : bin/zeppelin.sh |
26 | 26 | 4. point your browser to http://localhost:8080 |
27 | 27 | 5. Login using one of the user/password combinations defined in the conf/shiro.ini file. |
28 | | - |
| 28 | + |
| 29 | +# Implementation notes |
| 30 | +## Vocabulary |
| 31 | +username, owner and principal are used interchangeably to designate the currently authenticated user |
| 32 | +## What are we securing ? |
| 33 | +Zeppelin is basically a web application that spawn remote interpreters to run commands and return HTML fragments to be displayed on the user browser. |
| 34 | +The scope of this PR is to require credentials to access Zeppelin. To achieve this, we use Apache Shiro. |
| 35 | +## HTTP Endpoint security |
| 36 | +Apache Shiro sits as a servlet filter between the browser and the exposed services and handles the required authentication without any programming required. (See Apache Shiro for more info). |
| 37 | +## Websocket security |
| 38 | +Securing the HTTP endpoints is not enough, since Zeppelin also communicates with the browser through websockets. To secure this channel, we take the following approach: |
| 39 | +1. The browser on startup requests a ticket through HTTP |
| 40 | +2. The Apache Shiro Servlet filter handles the user auth |
| 41 | +3. Once the user is authenticated, a ticket is assigned to this user and the ticket is returned to the browser |
| 42 | + |
| 43 | +All websockets communications require the username and ticket to be submitted by the browser. Upon receiving a websocket message, the server checks that the ticket received is the one assigned to the username through the HTTP request (step 3 above). |
| 44 | + |
29 | 45 |
|
30 | 46 |
|
0 commit comments