Hello, Personally, I added some code to integrate another AA engine with some settings but it's very the beginning stage so we need to implement a new AA engine. Anyway, it's possible to replace the current shiro. :-)
2021년 2월 15일 (월) 오전 10:38, Jeff Zhang <[email protected]>님이 작성: > Hi Adam, > > You are right that zeppelin only use shiro for authentication, but not for > authorization. All the notebook authorization info is stored in custom json > file [1] instead of shiro's backend storage. These shiro part is > implemented very long time ago, I also don't know the original design > purpose. But I think It would be super helpful if you can help on that to > unify the authentication and authorization via shiro. > > [1] > > https://github.com/apache/zeppelin/blob/master/zeppelin-zengine/src/main/java/org/apache/zeppelin/storage/LocalConfigStorage.java#L69 > > > > > Adam Binford <[email protected]> 于2021年2月15日周一 上午6:26写道: > > > Hi all, new Zeppelin user here. I started playing around with it to see > how > > it compares to using Spark Magic for access to a secure hadoop cluster. I > > liked the native Spark cluster mode and the integration with Knox as an > SSO > > mechanism provided a great user experience. I was a little confused > though > > when the Notebook reader/runner/writer authorizations didn't seem to be > > working with groups. I dug into the code and realized it's because while > > the URL authorizations I assume are more natively integrated with Shiro, > > the notebook authorizations are more custom. > > > > I apologize if I made any bad assumptions or have anything wrong here, > I've > > only been working with Zeppelin for a week! > > > > The current logic seems something like: > > - Get user name and all user roles > > - Get all notebook entities (for one of writer, reader, etc.) > > - Find intersection between these two lists > > > > I see the main limitation here is that Shiro doesn't natively support > "Get > > all roles for user", so it's kinda worked around in > > ShiroAuthenticationService.getAssociatedRoles, which only handles > specific > > realms. > > > > I'm attempting to add the Knox realm as a special case to that method to > > get things working in the short term, I can create a ticket and PR when I > > get that working if that would be helpful to others. > > > > Longer term, and without very intimate knowledge of zeppelin or how some > of > > these decisions were made originally, would it make sense to try to > update > > the Notebook authorization flow to something like: > > - Get all notebook entities > > - For each entity, check if user has that name/role > > > > So that it could be more natively supported by Shiro. I have no idea what > > the lift would be for that, but figured I'd bring it up and see if there > > were any reasons that it wasn't done in the first place. > > > > -- > > Adam > > > > > -- > Best Regards > > Jeff Zhang > -- 이종열, Jongyoul Lee, 李宗烈 http://madeng.net
