OK, after learning way too much about zeppelin and java. :)
First, re-check the docs at: https://zeppelin.apache.org/docs/0.7.3/manual/
userimpersonation.html
But it's more than that. To lock things down as much as you can, you also
need to limit
the set of users that can be impersonated, *and* you need to isolate the
running user.
FIrst, set up a "zeppelin" group, and a "zeppelin" user. This can be
www-data, or any
other web front end user. But after this exercise, I like
zeppelin:zeppelin.
Then, add the following line to /etc/sudoers with visudo:
zeppelin ALL = (%zeppelin) NOPASSWD: ALL
This lets zeppelin pretend to be any user in the zeppelin group, WITHOUT a
password.
Now, add all of your users to the zeppelin group. If using LDAP, then you
have to
adjust the LDAP db.
I use password-less with the following uncommented in zeppelin-env.sh
export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u
${ZEPPELIN_IMPERSONATE_USER} bash -c '
If you are using PAM and local files, then do this in /etc/passwd
/etc/passwd:zeppelin:x:999:33::/var/www/zeppelin:
And this in /etc/group
/etc/group:shadow:x:42:zeppelin
/etc/group:zeppelin:x:1002:zeppelin,samcn2
The second allows the zeppelin process to read /etc/shadow. (one could
also use setfacl)
The third adds the users who can login to zeppelin and write.
Then, follow the instructions in the docs referenced above.
ALSO set in the interpreters page
shell.working.directory.user.home true
Now, the shell user is me, and it's my home dir I log into.
You can do away with the homedir, but you have to setfacl or group perm
your zeppelin users back into the zeppelin user.
NOTE!!!
This only works for shell. Python and R also can manipulate the PWD and
local environment.
I'll look into setting those tomorrow.
Also, set the shell.working.directory,user true
so that the use gets their home dir, and not the shared dir. Because
unless you make the shared
dir be mode 777 and setgid for your OS to force mkdirs to inherit the wide
open perms, then files/dirs
you create won't be shareable, and eventually zeppelin will complain.
On Tue, May 8, 2018 at 5:48 PM, Jhon Anderson Cardenas Diaz <
jhonderson2...@gmail.com> wrote:
> Dear Zeppelin Community,
>
> Currently when a Zeppelin paragraph is executed, the code in it can read
> sensitive config files, change them, including web app pages and etc. Like
> in this example:
>
> %python
> f = open("/usr/zeppelin/conf/credentials.json", "r")
> f.read()
>
> Do you know if is there a way to configure the user used to start the
> interpreters or run the paragraph's code ?, so that user can not access the
> File System where zeppelin is running, or has more restricted access.
>
> Thank you.
>
