@hayssams Can you provide step-by-step directions for configuring and using this?

@elbamos

Step 1: Require HTTP Auth

In conf/shiro.ini file, replace the lines 31 and 32 below

/** = anon
#/** = authcBasic

by

#/** = anon
/** = authcBasic

Step 2: Secure the Websocket channel

Rename the conf/zeppelin-site.xml.template to conf/zeppelin-site.xml.
The property that does it all is the following one :

<property>
  <name>zeppelin.anonymous.allowed</name>
  <value>false</value>
  <description>Anonymous user allowed by default</description>
</property>

Step 3: Start Zeppelin and Authenticate

To authenticate, use one of the user/password set in the conf/shiro.ini file. See below

admin = password1
user1 = password2
user2 = password3

I've also included a SECURITY-README file in the PR.

I tested this PR, and it does ask for basic auth credentials after setting up conf/shiro.ini and setting zeppelin.anonymous.allowed to false.

However, after login, it does not show the Zeppelin welcome page as expected. (you can however navigate to specific notebooks).

What is the purpose of ticket? And why do you save principal and ticket in the notebook?

What will happen to my notebook if i have zeppelin and update to use it with shiro and viseversa?

@jeffsteinmetz
Solved the two issues you raised.
Issue 1 : Corrected the instructions in security-readme.md
Issue 2 : Welcome page is now correctly displayed.
Thanks!

@anthonycorbacho

Question 1 : What's the purpose of ticket ?

I added an implementation note in the security-readme file. It explains why we need a ticket to handle webscoket connections. Basically, it works as follows :

1. Shiro sits as a servlet filter and protect HTTP requests. That's enough to secure HTTP REST requests.
2. To secure web sockets connections, we make sure that the user submitted the right credentials on the HTTP REST channel. We do this by issuing a ticket on the HTTP channel (/ticket method) that the browser must submit with each websocket message.

Question 2 : Ticket saved in notebook ?

In this PR( #586) Principal and ticket are not saved in the notebook.

Question 3 : What will happen if switching from secure to non secure version and vice-versa

In this PR( #586). It will work as expected since no change is made to the notebook structure.

Confirmed: Welcome page is now correctly displayed.

Follow up question: Is it the responsibility of shiro to redirect to SSL so that the basic auth is not sent in the clear?

I saw shiro this example:

/** = ssl,authcBasic

@hayssams Thanks for the v2 branch.

I'm having some error with zeppelin-web development mode

could you take a look?

@jeffsteinmetz
ssl[port] forces SSL on a URL. In order for this to work, jetty must listen on a SSL port.
I think that it would be better to leave this responsibility to a front end web server or appliance.

@Leemoonsoo
I could not reproduce.
The 404 means that jetty could not start correctly or is not listening on that port.
What is the error raised at the line below in the ZeppelinServer.java.

    try {
      jettyWebServer.start(); //Instantiates ZeppelinServer
    } catch (Exception e) {
      LOG.error("Error while running jettyServer", e);
      System.exit(-1);
    }

P.S. I am using mvn exec:java ... to start in dev mode

@hayssams Makes sense. I could give the SSL redirect a test, and use the SSL support already exposed by Zeppelin.
Thank you for the follow up.

@Leemoonsoo
Just saw you are talking about the web dev mode not the server dev mode. I am looking at your issue

@Leemoonsoo
Just pushed the correction. Now using the baseUrlSrv on bootstrap.

@hayssams Thanks, confirmed the last commit made zeppelin-web dev mode work. However, if shiro.ini is configured to use authcBasic, zeppelin-web dev mode still does not work correctly. Could you take a look once again?

@Leemoonsoo
Added support for cross site requests with credentials

@hayssams Thanks, zeppelin-web dev mode works well.

About CI build,

Failed tests: 
  NotebookServerTest.testMakeSureNoAngularObjectBroadcastToWebsocketWhoFireTheEvent:134 
Wanted but not invoked:
notebookSocket.send(<any>);
-> at org.apache.zeppelin.socket.NotebookServerTest.testMakeSureNoAngularObjectBroadcastToWebsocketWhoFireTheEvent(NotebookServerTest.java:134)
Actually, there were zero interactions with this mock.

Do you see any reason for the failing?

@Leemoonsoo
Made anonymous the default user for websocket message to make test pass.

@hayssams Great to see CI test passing!

You'll also need to update https://github.com/apache/incubator-zeppelin/blob/master/zeppelin-distribution/src/bin_license/LICENSE for shiro-core and shiro-web dependency introduced by this PR.

And could you explain little bit about how zeppelin.anonymous.allowed in zeppelin-site.xml will be different from /** = anon in shiro.ini? Can we have only single configuration for anonymous mode?

@Leemoonsoo
Since we are in a WS context, we can't rely on Shiro to check the auth mode (anon versus authc).
However I can manage from the WS context to load the shiro.ini from the classpath without relying on shiro to get the auth mode.

@hayssams Thanks for explain about auth mode.
Really appreciate for this great contribution and such a long patience. I think this is really good first step toward multi-user support.

Looks good to me

@Leemoonsoo
Great news. I had great pleasure working on it and take into account all your remarks.
I'll now start to write down a proposal on how Zeppelin could handle authorizations throughApache Shiro ZEPPELIN-549.

Merge if there're no more discussions

@Leemoonsoo
I guess that someone with write access will merge it.