Google Git
Sign in
apache / zeppelin-site / 11c4e85f9a1e180e52e4cd6eda94936b64e4f105 / . / docs / 0.7.0 / security / notebook_authorization.html
blob: e92dee4babfcaa2775138329970760bf54b6bf49 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Apache Zeppelin 0.7.0 Documentation: Notebook Authorization in Apache Zeppelin</title>
<meta name="description" content="This page will guide you how you can set the permission for Zeppelin notebooks. This document assumes that Apache Shiro authentication was set up.">
<meta name="author" content="The Apache Software Foundation">
<!-- Enable responsive viewport -->
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- Le HTML5 shim, for IE6-8 support of HTML elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet">
<!-- Le styles -->
<link href="/docs/0.7.0/assets/themes/zeppelin/bootstrap/css/bootstrap.css" rel="stylesheet">
<link href="/docs/0.7.0/assets/themes/zeppelin/css/style.css?body=1" rel="stylesheet" type="text/css">
<link href="/docs/0.7.0/assets/themes/zeppelin/css/syntax.css" rel="stylesheet" type="text/css" media="screen" />
<!-- Le fav and touch icons -->
<!-- Update these with your own images
<link rel="shortcut icon" href="images/favicon.ico">
<link rel="apple-touch-icon" href="images/apple-touch-icon.png">
<link rel="apple-touch-icon" sizes="72x72" href="images/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="114x114" href="images/apple-touch-icon-114x114.png">
-->
<!-- Js -->
<script src="https://code.jquery.com/jquery-1.10.2.min.js"></script>
<script src="/docs/0.7.0/assets/themes/zeppelin/bootstrap/js/bootstrap.min.js"></script>
<script src="/docs/0.7.0/assets/themes/zeppelin/js/docs.js"></script>
<script src="/docs/0.7.0/assets/themes/zeppelin/js/anchor.min.js"></script>
<script src="/docs/0.7.0/assets/themes/zeppelin/js/toc.js"></script>
<script src="/docs/0.7.0/assets/themes/zeppelin/js/lunr.min.js"></script>
<script src="/docs/0.7.0/assets/themes/zeppelin/js/search.js"></script>
<!-- atom & rss feed -->
<link href="/docs/0.7.0/atom.xml" type="application/atom+xml" rel="alternate" title="Sitewide ATOM Feed">
<link href="/docs/0.7.0/rss.xml" type="application/rss+xml" rel="alternate" title="Sitewide RSS Feed">
</head>
<body>
<div id="menu" class="navbar navbar-inverse navbar-fixed-top" role="navigation">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="/docs/0.7.0">
<img src="/assets/themes/zeppelin/img/zeppelin_logo.png" width="50" alt="I'm zeppelin">
<span style="vertical-align:middle">Zeppelin</span>
<span style="vertical-align:baseline"><small>0.7.0</small></span>
</a>
</div>
<nav class="navbar-collapse collapse" role="navigation">
<ul class="nav navbar-nav">
<li>
<a href="#" data-toggle="dropdown" class="dropdown-toggle">Quick Start <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="/docs/0.7.0/index.html">What is Apache Zeppelin ?</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Getting Started</b><span></li>
<li><a href="/docs/0.7.0/install/install.html">Install</a></li>
<li><a href="/docs/0.7.0/install/configuration.html">Configuration</a></li>
<li><a href="/docs/0.7.0/quickstart/explorezeppelinui.html">Explore Zeppelin UI</a></li>
<li><a href="/docs/0.7.0/quickstart/tutorial.html">Tutorial</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Basic Feature Guide</b><span></li>
<li><a href="/docs/0.7.0/manual/dynamicform.html">Dynamic Form</a></li>
<li><a href="/docs/0.7.0/manual/publish.html">Publish your Paragraph</a></li>
<li><a href="/docs/0.7.0/manual/notebookashomepage.html">Customize Zeppelin Homepage</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>More</b><span></li>
<li><a href="/docs/0.7.0/install/upgrade.html">Upgrade Zeppelin Version</a></li>
<li><a href="/docs/0.7.0/install/build.html">Build from source</a></li>
<li><a href="/docs/0.7.0/quickstart/install_with_flink_and_spark_cluster.html">Install Zeppelin with Flink and Spark Clusters Tutorial</a></li>
</ul>
</li>
<li>
<a href="#" data-toggle="dropdown" class="dropdown-toggle">Interpreter <b class="caret"></b></a>
<ul class="dropdown-menu scrollable-menu">
<li><a href="/docs/0.7.0/manual/interpreters.html">Overview</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Usage</b><span></li>
<li><a href="/docs/0.7.0/manual/interpreterinstallation.html">Interpreter Installation</a></li>
<!--<li><a href="/docs/0.7.0/manual/dynamicinterpreterload.html">Dynamic Interpreter Loading</a></li>-->
<li><a href="/docs/0.7.0/manual/dependencymanagement.html">Interpreter Dependency Management</a></li>
<li><a href="/docs/0.7.0/manual/userimpersonation.html">Interpreter User Impersonation</a></li>
<li><a href="/docs/0.7.0/manual/interpreterexechooks.html">Interpreter Execution Hooks (Experimental)</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Available Interpreters</b><span></li>
<li><a href="/docs/0.7.0/interpreter/alluxio.html">Alluxio</a></li>
<li><a href="/docs/0.7.0/interpreter/beam.html">Beam</a></li>
<li><a href="/docs/0.7.0/interpreter/bigquery.html">BigQuery</a></li>
<li><a href="/docs/0.7.0/interpreter/cassandra.html">Cassandra</a></li>
<li><a href="/docs/0.7.0/interpreter/elasticsearch.html">Elasticsearch</a></li>
<li><a href="/docs/0.7.0/interpreter/flink.html">Flink</a></li>
<li><a href="/docs/0.7.0/interpreter/geode.html">Geode</a></li>
<li><a href="/docs/0.7.0/interpreter/hbase.html">HBase</a></li>
<li><a href="/docs/0.7.0/interpreter/hdfs.html">HDFS</a></li>
<li><a href="/docs/0.7.0/interpreter/hive.html">Hive</a></li>
<li><a href="/docs/0.7.0/interpreter/ignite.html">Ignite</a></li>
<li><a href="/docs/0.7.0/interpreter/jdbc.html">JDBC</a></li>
<li><a href="/docs/0.7.0/interpreter/kylin.html">Kylin</a></li>
<li><a href="/docs/0.7.0/interpreter/lens.html">Lens</a></li>
<li><a href="/docs/0.7.0/interpreter/livy.html">Livy</a></li>
<li><a href="/docs/0.7.0/interpreter/markdown.html">Markdown</a></li>
<li><a href="/docs/0.7.0/interpreter/pig.html">Pig</a></li>
<li><a href="/docs/0.7.0/interpreter/python.html">Python</a></li>
<li><a href="/docs/0.7.0/interpreter/postgresql.html">Postgresql, HAWQ</a></li>
<li><a href="/docs/0.7.0/interpreter/r.html">R</a></li>
<li><a href="/docs/0.7.0/interpreter/scalding.html">Scalding</a></li>
<li><a href="/docs/0.7.0/interpreter/scio.html">Scio</a></li>
<li><a href="/docs/0.7.0/interpreter/shell.html">Shell</a></li>
<li><a href="/docs/0.7.0/interpreter/spark.html">Spark</a></li>
</ul>
</li>
<li>
<a href="#" data-toggle="dropdown" class="dropdown-toggle">Display System <b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="title"><span><b>Basic Display System</b><span></li>
<li><a href="/docs/0.7.0/displaysystem/basicdisplaysystem.html#text">Text</a></li>
<li><a href="/docs/0.7.0/displaysystem/basicdisplaysystem.html#html">Html</a></li>
<li><a href="/docs/0.7.0/displaysystem/basicdisplaysystem.html#table">Table</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Angular API</b><span></li>
<li><a href="/docs/0.7.0/displaysystem/back-end-angular.html">Angular (backend API)</a></li>
<li><a href="/docs/0.7.0/displaysystem/front-end-angular.html">Angular (frontend API)</a></li>
</ul>
</li>
<li>
<a href="#" data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a>
<ul class="dropdown-menu scrollable-menu" style="right: 0; left: auto;">
<li class="title"><span><b>Notebook Storage</b><span></li>
<li><a href="/docs/0.7.0/storage/storage.html#notebook-storage-in-local-git-repository">Git Storage</a></li>
<li><a href="/docs/0.7.0/storage/storage.html#notebook-storage-in-s3">S3 Storage</a></li>
<li><a href="/docs/0.7.0/storage/storage.html#notebook-storage-in-azure">Azure Storage</a></li>
<li><a href="/docs/0.7.0/storage/storage.html#storage-in-zeppelinhub">ZeppelinHub Storage</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>REST API</b><span></li>
<li><a href="/docs/0.7.0/rest-api/rest-interpreter.html">Interpreter API</a></li>
<li><a href="/docs/0.7.0/rest-api/rest-notebook.html">Notebook API</a></li>
<li><a href="/docs/0.7.0/rest-api/rest-configuration.html">Configuration API</a></li>
<li><a href="/docs/0.7.0/rest-api/rest-credential.html">Credential API</a></li>
<li><a href="/docs/0.7.0/rest-api/rest-helium.html">Helium API</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Security</b><span></li>
<li><a href="/docs/0.7.0/security/shiroauthentication.html">Shiro Authentication</a></li>
<li><a href="/docs/0.7.0/security/notebook_authorization.html">Notebook Authorization</a></li>
<li><a href="/docs/0.7.0/security/datasource_authorization.html">Data Source Authorization</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Advanced</b><span></li>
<li><a href="/docs/0.7.0/install/virtual_machine.html">Zeppelin on Vagrant VM</a></li>
<li><a href="/docs/0.7.0/install/spark_cluster_mode.html#spark-standalone-mode">Zeppelin on Spark Cluster Mode (Standalone)</a></li>
<li><a href="/docs/0.7.0/install/spark_cluster_mode.html#spark-on-yarn-mode">Zeppelin on Spark Cluster Mode (YARN)</a></li>
<li><a href="/docs/0.7.0/install/spark_cluster_mode.html#spark-on-mesos-mode">Zeppelin on Spark Cluster Mode (Mesos)</a></li>
<li><a href="/docs/0.7.0/install/cdh.html">Zeppelin on CDH</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Contibute</b><span></li>
<li><a href="/docs/0.7.0/development/writingzeppelininterpreter.html">Writing Zeppelin Interpreter</a></li>
<li><a href="/docs/0.7.0/development/writingzeppelinvisualization.html">Writing Zeppelin Visualization (Experimental)</a></li>
<li><a href="/docs/0.7.0/development/writingzeppelinapplication.html">Writing Zeppelin Application (Experimental)</a></li>
<li><a href="/docs/0.7.0/development/howtocontribute.html">How to contribute (code)</a></li>
<li><a href="/docs/0.7.0/development/howtocontributewebsite.html">How to contribute (website)</a></li>
</ul>
</li>
<li>
<a href="/docs/0.7.0/search.html" class="nav-search-link">
<span class="fa fa-search nav-search-icon"></span>
</a>
</li>
</ul>
</nav><!--/.navbar-collapse -->
</div>
</div>
<div class="content">
<!--<div class="hero-unit Notebook Authorization in Apache Zeppelin">
<h1></h1>
</div>
-->
<div class="row">
<div class="col-md-12">
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<h1>Zeppelin Notebook Authorization</h1>
<div id="toc"></div>
<h2>Overview</h2>
<p>We assume that there is an <strong>Shiro Authentication</strong> component that associates a user string and a set of group strings with every NotebookSocket.
If you don&#39;t set the authentication components yet, please check <a href="./shiroauthentication.html">Shiro authentication for Apache Zeppelin</a> first.</p>
<h2>Authorization Setting</h2>
<p>You can set Zeppelin notebook permissions in each notebooks. Of course only <strong>notebook owners</strong> can change this configuration.
Just click <strong>Lock icon</strong> and open the permission setting page in your notebook.</p>
<p>As you can see, each Zeppelin notebooks has 3 entities :</p>
<ul>
<li>Owners ( users or groups )</li>
<li>Readers ( users or groups )</li>
<li>Writers ( users or groups )</li>
</ul>
<p><center><img src="../assets/themes/zeppelin/img/docs-img/permission_setting.png"></center></p>
<p>Fill out the each forms with comma seperated <strong>users</strong> and <strong>groups</strong> configured in <code>conf/shiro.ini</code> file.
If the form is empty (*), it means that any users can perform that operation.</p>
<p>If someone who doesn&#39;t have <strong>read</strong> permission is trying to access the notebook or someone who doesn&#39;t have <strong>write</strong> permission is trying to edit the notebook, Zeppelin will ask to login or block the user.</p>
<p><center><img src="../assets/themes/zeppelin/img/docs-img/insufficient_privileges.png"></center></p>
<h2>Separate notebook workspaces (public vs. private)</h2>
<p>By default, the authorization rights allow other users to see the newly created note, meaning the workspace is <code>public</code>. This behavior is controllable and can be set through either <code>ZEPPELIN_NOTEBOOK_PUBLIC</code> variable in <code>conf/zeppelin-env.sh</code>, or through <code>zeppelin.notebook.public</code> property in <code>conf/zeppelin-site.xml</code>. Thus, in order to make newly created note appear only in your <code>private</code> workspace by default, you can set either <code>ZEPPELIN_NOTEBOOK_PUBLIC</code> to <code>false</code> in your <code>conf/zeppelin-env.sh</code> as follows:</p>
<div class="highlight"><pre><code class="text language-text" data-lang="text">export ZEPPELIN_NOTEBOOK_PUBLIC=&quot;false&quot;
</code></pre></div>
<p>or set <code>zeppelin.notebook.public</code> property to <code>false</code> in <code>conf/zeppelin-site.xml</code> as follows:</p>
<div class="highlight"><pre><code class="text language-text" data-lang="text">&lt;property&gt;
&lt;name&gt;zeppelin.notebook.public&lt;/name&gt;
&lt;value&gt;false&lt;/value&gt;
&lt;description&gt;Make notebook public by default when created, private otherwise&lt;/description&gt;
&lt;/property&gt;
</code></pre></div>
<p>Behind the scenes, when you create a new note only the <code>owners</code> field is filled with current user, leaving <code>readers</code> and <code>writers</code> fields empty. All the notes with at least one empty authorization field are considered to be in <code>public</code> workspace. Thus when setting <code>zeppelin.notebook.public</code> (or corresponding <code>ZEPPELIN_NOTEBOOK_PUBLIC</code>) to false, newly created notes have <code>readers</code> and <code>writers</code> fields filled with current user, making note appear as in <code>private</code> workspace.</p>
<h2>How it works</h2>
<p>In this section, we will explain the detail about how the notebook authorization works in backend side.</p>
<h3>NotebookServer</h3>
<p>The <a href="https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookServer.java">NotebookServer</a> classifies every notebook operations into three categories: <strong>Read</strong>, <strong>Write</strong>, <strong>Manage</strong>.
Before executing a notebook operation, it checks if the user and the groups associated with the <code>NotebookSocket</code> have permissions.
For example, before executing a <strong>Read</strong> operation, it checks if the user and the groups have at least one entity that belongs to the <strong>Reader</strong> entities.</p>
<h3>Notebook REST API call</h3>
<p>Zeppelin executes a <a href="https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/NotebookRestApi.java">REST API call</a> for the notebook permission information.
In the backend side, Zeppelin gets the user information for the connection and allows the operation if the users and groups
associated with the current user have at least one entity that belongs to owner entities for the notebook.</p>
</div>
</div>
<hr>
<footer>
<!-- <p>&copy; 2017 The Apache Software Foundation</p>-->
</footer>
</div>
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-45176241-5', 'zeppelin.apache.org');
ga('require', 'linkid', 'linkid.js');
ga('send', 'pageview');
</script>
</body>
</html>