[ZEPPELIN-987] Enable user to secure interpreter setting, credentials and configurations info

SECURITY-README.md

@@ -17,7 +17,7 @@ To connect to Zeppelin, users will be asked to enter their credentials. Once log
 This a a first step toward full security as implemented by this pull request (https://github.com/apache/zeppelin/pull/53).
 
 # Security setup
-1. Secure the HTTP channel: Comment the line "/** = anon" and uncomment the line "/** = authcBasic" in the file conf/shiro.ini. Read more about he shiro.ini file format at the following URL http://shiro.apache.org/configuration.html#Configuration-INISections.  
+1. Secure the HTTP channel: Comment the line "/** = anon" and uncomment the line "/** = authc" in the file conf/shiro.ini. Read more about he shiro.ini file format at the following URL http://shiro.apache.org/configuration.html#Configuration-INISections.  
 2. Secure the Websocket channel : Set to property "zeppelin.anonymous.allowed" to "false" in the file conf/zeppelin-site.xml. You can start by renaming conf/zeppelin-site.xml.template to conf/zeppelin-site.xml
 3. Start Zeppelin : bin/zeppelin.sh
 4. point your browser to http://localhost:8080

conf/shiro.ini

@@ -18,7 +18,7 @@
 [users]
 # List of users with their password allowed to access Zeppelin.
 # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections
-admin = password1
+admin = password1, admin
 user1 = password2, role1, role2
 user2 = password3, role3
 user3 = password4, role2
@@ -58,12 +58,17 @@ shiro.loginUrl = /api/login
 role1 = *
 role2 = *
 role3 = *
+admin = *
 
 [urls]
+# This section is used for url-based security.
+# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. 
 # anon means the access is anonymous.
-# authcBasic means Basic Auth Security
 # authc means Form based Auth Security
 # To enfore security, comment the line below and uncomment the next one
 /api/version = anon
+#/api/interpreter/** = authc, roles[admin]
+#/api/configurations/** = authc, roles[admin]
+#/api/credential/** = authc, roles[admin]
 /** = anon
 #/** = authc

docs/security/shiroauthentication.md

@@ -66,13 +66,17 @@ Finally, you can login using one of the below **username/password** combinations
 <center><img src="../assets/themes/zeppelin/img/docs-img/zeppelin-login.png"></center>
 
 ```
-admin = password1
-user1 = password2
-user2 = password3
+[users]
+
+admin = password1, admin
+user1 = password2, role1, role2
+user2 = password3, role3
+user3 = password4, role2
 ```
+You can set the roles for each users next to the password.
 
-### 5. Groups and permissions (optional)
-In case you want to leverage user groups and permissions, use one of the following configuration for LDAP or AD under `[main]` segment in `shiro.ini`
+## Groups and permissions (optional)
+In case you want to leverage user groups and permissions, use one of the following configuration for LDAP or AD under `[main]` segment in `shiro.ini`.
 
 ```
 activeDirectoryRealm = org.apache.zeppelin.server.ActiveDirectoryGroupRealm
@@ -101,6 +105,21 @@ finance = *
 group1 = *
 ```
 
-All of above configurations are defined in the `conf/shiro.ini` file.
+## Secure your Zeppelin information (optional)
+By default, anyone who defined in `[users]` can share **Interpreter Setting**, **Credential** and **Configuration** information in Apache Zeppelin. 
+Sometimes you might want to hide these information for your use case. 
+Since Shiro provides **url-based security**, you can hide the information by commenting or uncommenting these below lines in `conf/shiro.ini`.
+
+```
+[urls]
+
+/api/interpreter/** = authc, roles[admin]
+/api/configurations/** = authc, roles[admin]
+/api/credential/** = authc, roles[admin]
+```
+
+In this case, only who have `admin` role can see **Interpreter Setting**, **Credential** and **Configuration** information. 
+If you want to grant this permission to other users, you can change **roles[ ]** as you defined at `[users]` section.
 
-> **NOTE :** This documentation is originally from [SECURITY-README.md](https://github.com/apache/zeppelin/blob/master/SECURITY-README.md).
+<br/>
+> **NOTE :** All of the above configurations are defined in the `conf/shiro.ini` file. This documentation is originally from [SECURITY-README.md](https://github.com/apache/zeppelin/blob/master/SECURITY-README.md).

zeppelin-web/src/app/configuration/configuration.controller.js

@@ -14,7 +14,7 @@
 'use strict';
 
 angular.module('zeppelinWebApp').controller('ConfigurationCtrl', function($scope, $route, $routeParams, $location,
-                                                                          $rootScope, $http, baseUrlSrv) {
+                                                                          $rootScope, $http, baseUrlSrv, ngToast) {
   $scope.configrations = [];
   $scope._ = _;
 
@@ -24,6 +24,16 @@ angular.module('zeppelinWebApp').controller('ConfigurationCtrl', function($scope
       $scope.configurations = data.body;
     }).
     error(function(data, status, headers, config) {
+      if (status === 401) {
+        ngToast.danger({
+          content: 'You don\'t have permission on this page',
+          verticalPosition: 'bottom',
+          timeout: '3000'
+        });
+        setTimeout(function() {
+          window.location.replace('/');
+        }, 3000);
+      }
       console.log('Error %o %o', status, data.message);
     });
   };

zeppelin-web/src/app/credential/credential.controller.js

@@ -30,6 +30,16 @@ angular.module('zeppelinWebApp').controller('CredentialCtrl', function($scope, $
       console.log('Success %o %o', status, $scope.credentialInfo);
     }).
     error(function(data, status, headers, config) {
+      if (status === 401) {
+        ngToast.danger({
+          content: 'You don\'t have permission on this page',
+          verticalPosition: 'bottom',
+          timeout: '3000'
+        });
+        setTimeout(function() {
+          window.location.replace('/');
+        }, 3000);
+      }
       console.log('Error %o %o', status, data.message);
     });
   };

zeppelin-web/src/app/interpreter/interpreter.controller.js

@@ -27,6 +27,16 @@ angular.module('zeppelinWebApp').controller('InterpreterCtrl',
       $http.get(baseUrlSrv.getRestApiBase() + '/interpreter/setting').success(function(data, status, headers, config) {
         $scope.interpreterSettings = data.body;
       }).error(function(data, status, headers, config) {
+        if (status === 401) {
+          ngToast.danger({
+            content: 'You don\'t have permission on this page',
+            verticalPosition: 'bottom',
+            timeout: '3000'
+          });
+          setTimeout(function() {
+            window.location.replace('/');
+          }, 3000);
+        }
         console.log('Error %o %o', status, data.message);
       });
     };