Apache Zeppelin 0.10.1 Documentation: Notebook Authorization in Apache Zeppelin

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Apache Zeppelin 0.10.1 Documentation: Notebook Authorization in Apache Zeppelin</title> <meta name="description" content="This page will guide you how you can set the permission for Zeppelin notebooks. This document assumes that Apache Shiro authentication was set up."> <meta name="author" content="The Apache Software Foundation">  <meta name="viewport" content="width=device-width, initial-scale=1.0">   <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet">  <link href="/docs/0.10.1/assets/themes/zeppelin/bootstrap/css/bootstrap.css" rel="stylesheet"> <link href="/docs/0.10.1/assets/themes/zeppelin/css/style.css?body=1" rel="stylesheet" type="text/css"> <link href="/docs/0.10.1/assets/themes/zeppelin/css/syntax.css" rel="stylesheet" type="text/css" media="screen" />    <script src="https://code.jquery.com/jquery-1.10.2.min.js"></script> <script src="/docs/0.10.1/assets/themes/zeppelin/bootstrap/js/bootstrap.min.js"></script> <script src="/docs/0.10.1/assets/themes/zeppelin/js/docs.js"></script> <script src="/docs/0.10.1/assets/themes/zeppelin/js/anchor.min.js"></script> <script src="/docs/0.10.1/assets/themes/zeppelin/js/toc.js"></script> <script src="/docs/0.10.1/assets/themes/zeppelin/js/lunr.min.js"></script> <script src="/docs/0.10.1/assets/themes/zeppelin/js/search.js"></script>  <link href="/docs/0.10.1/atom.xml" type="application/atom+xml" rel="alternate" title="Sitewide ATOM Feed"> <link href="/docs/0.10.1/rss.xml" type="application/rss+xml" rel="alternate" title="Sitewide RSS Feed"> </head> <body> <div id="menu" class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container navbar-container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <div class="navbar-brand"> <a class="navbar-brand-main" href="http://zeppelin.apache.org"> <img src="/docs/0.10.1/assets/themes/zeppelin/img/zeppelin_logo.png" width="50" style="margin-top: -2px;" alt="I'm zeppelin"> <span style="margin-left: 5px; font-size: 27px;">Zeppelin</span> <a class="navbar-brand-version" href="/docs/0.10.1" style="font-size: 15px; color: white;"> 0.10.1 </a> </a> </div> </div> <nav class="navbar-collapse collapse" role="navigation"> <ul class="nav navbar-nav"> <li> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Quick Start <b class="caret"></b></a> <ul class="dropdown-menu"> <li class="title"><span>Getting Started</span></li> <li><a href="/docs/0.10.1/quickstart/install.html">Install</a></li> <li><a href="/docs/0.10.1/quickstart/explore_ui.html">Explore UI</a></li> <li><a href="/docs/0.10.1/quickstart/tutorial.html">Tutorial</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Run Mode</span></li> <li><a href="/docs/0.10.1/quickstart/kubernetes.html">Kubernetes</a></li> <li><a href="/docs/0.10.1/quickstart/docker.html">Docker</a></li> <li><a href="/docs/0.10.1/quickstart/yarn.html">Yarn</a></li> <li role="separator" class="divider"></li> <li><a href="/docs/0.10.1/quickstart/spark_with_zeppelin.html">Spark with Zeppelin</a></li> <li><a href="/docs/0.10.1/quickstart/flink_with_zeppelin.html">Flink with Zeppelin</a></li> <li><a href="/docs/0.10.1/quickstart/sql_with_zeppelin.html">SQL with Zeppelin</a></li> <li><a href="/docs/0.10.1/quickstart/python_with_zeppelin.html">Python with Zeppelin</a></li> <li><a href="/docs/0.10.1/quickstart/r_with_zeppelin.html">R with Zeppelin</a></li> </ul> </li> <li> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Usage<b class="caret"></b></a> <ul class="dropdown-menu scrollable-menu"> <li class="title"><span>Dynamic Form</span></li> <li><a href="/docs/0.10.1/usage/dynamic_form/intro.html">What is Dynamic Form?</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Display System</span></li> <li><a href="/docs/0.10.1/usage/display_system/basic.html#text">Text Display</a></li> <li><a href="/docs/0.10.1/usage/display_system/basic.html#html">HTML Display</a></li> <li><a href="/docs/0.10.1/usage/display_system/basic.html#table">Table Display</a></li> <li><a href="/docs/0.10.1/usage/display_system/basic.html#network">Network Display</a></li> <li><a href="/docs/0.10.1/usage/display_system/angular_backend.html">Angular Display using Backend API</a></li> <li><a href="/docs/0.10.1/usage/display_system/angular_frontend.html">Angular Display using Frontend API</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Interpreter</span></li> <li><a href="/docs/0.10.1/usage/interpreter/overview.html">Overview</a></li> <li><a href="/docs/0.10.1/usage/interpreter/interpreter_binding_mode.html">Interpreter Binding Mode</a></li> <li><a href="/docs/0.10.1/usage/interpreter/user_impersonation.html">User Impersonation</a></li> <li><a href="/docs/0.10.1/usage/interpreter/dependency_management.html">Dependency Management</a></li> <li><a href="/docs/0.10.1/usage/interpreter/installation.html">Installing Interpreters</a></li>  <li><a href="/docs/0.10.1/usage/interpreter/execution_hooks.html">Execution Hooks (Experimental)</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Other Features</span></li> <li><a href="/docs/0.10.1/usage/other_features/publishing_paragraphs.html">Publishing Paragraphs</a></li> <li><a href="/docs/0.10.1/usage/other_features/personalized_mode.html">Personalized Mode</a></li> <li><a href="/docs/0.10.1/usage/other_features/customizing_homepage.html">Customizing Zeppelin Homepage</a></li> <li><a href="/docs/0.10.1/usage/other_features/notebook_actions.html">Notebook Actions</a></li> <li><a href="/docs/0.10.1/usage/other_features/cron_scheduler.html">Cron Scheduler</a></li> <li><a href="/docs/0.10.1/usage/other_features/zeppelin_context.html">Zeppelin Context</a></li> <li role="separator" class="divider"></li> <li class="title"><span>REST API</span></li> <li><a href="/docs/0.10.1/usage/rest_api/interpreter.html">Interpreter API</a></li> <li><a href="/docs/0.10.1/usage/rest_api/zeppelin_server.html">Zeppelin Server API</a></li> <li><a href="/docs/0.10.1/usage/rest_api/notebook.html">Notebook API</a></li> <li><a href="/docs/0.10.1/usage/rest_api/notebook_repository.html">Notebook Repository API</a></li> <li><a href="/docs/0.10.1/usage/rest_api/configuration.html">Configuration API</a></li> <li><a href="/docs/0.10.1/usage/rest_api/credential.html">Credential API</a></li> <li><a href="/docs/0.10.1/usage/rest_api/helium.html">Helium API</a></li> <li class="title"><span>Zeppelin SDK</span></li> <li><a href="/docs/0.10.1/usage/zeppelin_sdk/client_api.html">Client API</a></li> <li><a href="/docs/0.10.1/usage/zeppelin_sdk/session_api.html">Session API</a></li> </ul> </li> <li> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Setup<b class="caret"></b></a> <ul class="dropdown-menu scrollable-menu"> <li class="title"><span>Basics</span></li> <li><a href="/docs/0.10.1/setup/basics/how_to_build.html">How to Build Zeppelin</a></li> <li><a href="/docs/0.10.1/setup/basics/hadoop_integration.html">Hadoop Integration</a></li> <li><a href="/docs/0.10.1/setup/basics/multi_user_support.html">Multi-user Support</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Deployment</span></li>  <li><a href="/docs/0.10.1/setup/deployment/spark_cluster_mode.html#spark-standalone-mode">Spark Cluster Mode: Standalone</a></li> <li><a href="/docs/0.10.1/setup/deployment/spark_cluster_mode.html#spark-on-yarn-mode">Spark Cluster Mode: YARN</a></li> <li><a href="/docs/0.10.1/setup/deployment/spark_cluster_mode.html#spark-on-mesos-mode">Spark Cluster Mode: Mesos</a></li> <li><a href="/docs/0.10.1/setup/deployment/flink_and_spark_cluster.html">Zeppelin with Flink, Spark Cluster</a></li> <li><a href="/docs/0.10.1/setup/deployment/cdh.html">Zeppelin on CDH</a></li> <li><a href="/docs/0.10.1/setup/deployment/virtual_machine.html">Zeppelin on VM: Vagrant</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Security</span></li> <li><a href="/docs/0.10.1/setup/security/authentication_nginx.html">HTTP Basic Auth using NGINX</a></li> <li><a href="/docs/0.10.1/setup/security/shiro_authentication.html">Shiro Authentication</a></li> <li><a href="/docs/0.10.1/setup/security/notebook_authorization.html">Notebook Authorization</a></li> <li><a href="/docs/0.10.1/setup/security/datasource_authorization.html">Data Source Authorization</a></li> <li><a href="/docs/0.10.1/setup/security/http_security_headers.html">HTTP Security Headers</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Notebook Storage</span></li> <li><a href="/docs/0.10.1/setup/storage/storage.html#notebook-storage-in-local-git-repository">Git Storage</a></li> <li><a href="/docs/0.10.1/setup/storage/storage.html#notebook-storage-in-s3">S3 Storage</a></li> <li><a href="/docs/0.10.1/setup/storage/storage.html#notebook-storage-in-azure">Azure Storage</a></li> <li><a href="/docs/0.10.1/setup/storage/storage.html#notebook-storage-in-oss">OSS Storage</a></li> <li><a href="/docs/0.10.1/setup/storage/storage.html#notebook-storage-in-zeppelinhub">ZeppelinHub Storage</a></li> <li><a href="/docs/0.10.1/setup/storage/storage.html#notebook-storage-in-mongodb">MongoDB Storage</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Operation</span></li> <li><a href="/docs/0.10.1/setup/operation/configuration.html">Configuration</a></li> <li><a href="/docs/0.10.1/setup/operation/proxy_setting.html">Proxy Setting</a></li> <li><a href="/docs/0.10.1/setup/operation/upgrading.html">Upgrading</a></li> <li><a href="/docs/0.10.1/setup/operation/trouble_shooting.html">Trouble Shooting</a></li> </ul> </li> <li> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Interpreter <b class="caret"></b></a> <ul class="dropdown-menu scrollable-menu"> <li class="title"><span>Interpreters</span></li> <li><a href="/docs/0.10.1/usage/interpreter/overview.html">Overview</a></li> <li role="separator" class="divider"></li> <li><a href="/docs/0.10.1/interpreter/spark.html">Spark</a></li> <li><a href="/docs/0.10.1/interpreter/flink.html">Flink</a></li> <li><a href="/docs/0.10.1/interpreter/jdbc.html">JDBC</a></li> <li><a href="/docs/0.10.1/interpreter/python.html">Python</a></li> <li><a href="/docs/0.10.1/interpreter/r.html">R</a></li> <li role="separator" class="divider"></li> <li><a href="/docs/0.10.1/interpreter/alluxio.html">Alluxio</a></li> <li><a href="/docs/0.10.1/interpreter/beam.html">Beam</a></li> <li><a href="/docs/0.10.1/interpreter/bigquery.html">BigQuery</a></li> <li><a href="/docs/0.10.1/interpreter/cassandra.html">Cassandra</a></li> <li><a href="/docs/0.10.1/interpreter/elasticsearch.html">Elasticsearch</a></li> <li><a href="/docs/0.10.1/interpreter/geode.html">Geode</a></li> <li><a href="/docs/0.10.1/interpreter/groovy.html">Groovy</a></li> <li><a href="/docs/0.10.1/interpreter/hazelcastjet.html">Hazelcast Jet</a></li> <li><a href="/docs/0.10.1/interpreter/hbase.html">HBase</a></li> <li><a href="/docs/0.10.1/interpreter/hdfs.html">HDFS</a></li> <li><a href="/docs/0.10.1/interpreter/hive.html">Hive</a></li> <li><a href="/docs/0.10.1/interpreter/ignite.html">Ignite</a></li> <li><a href="/docs/0.10.1/interpreter/influxdb.html">influxDB</a></li> <li><a href="/docs/0.10.1/interpreter/java.html">Java</a></li> <li><a href="/docs/0.10.1/interpreter/jupyter.html">Jupyter</a></li> <li><a href="/docs/0.10.1/interpreter/kotlin.html">Kotlin</a></li> <li><a href="/docs/0.10.1/interpreter/ksql.html">KSQL</a></li> <li><a href="/docs/0.10.1/interpreter/kylin.html">Kylin</a></li> <li><a href="/docs/0.10.1/interpreter/lens.html">Lens</a></li> <li><a href="/docs/0.10.1/interpreter/livy.html">Livy</a></li> <li><a href="/docs/0.10.1/interpreter/mahout.html">Mahout</a></li> <li><a href="/docs/0.10.1/interpreter/markdown.html">Markdown</a></li> <li><a href="/docs/0.10.1/interpreter/mongodb.html">MongoDB</a></li> <li><a href="/docs/0.10.1/interpreter/neo4j.html">Neo4j</a></li> <li><a href="/docs/0.10.1/interpreter/pig.html">Pig</a></li> <li><a href="/docs/0.10.1/interpreter/postgresql.html">Postgresql, HAWQ</a></li> <li><a href="/docs/0.10.1/interpreter/sap.html">SAP</a></li> <li><a href="/docs/0.10.1/interpreter/scalding.html">Scalding</a></li> <li><a href="/docs/0.10.1/interpreter/scio.html">Scio</a></li> <li><a href="/docs/0.10.1/interpreter/shell.html">Shell</a></li> <li><a href="/docs/0.10.1/interpreter/sparql.html">Sparql</a></li> <li><a href="/docs/0.10.1/interpreter/submarine.html">Submarine</a></li> </ul> </li> <li> <a href="#" data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a> <ul class="dropdown-menu scrollable-menu" style="right: 0; left: auto;"> <li class="title"><span>Extending Zeppelin</span></li> <li><a href="/docs/0.10.1/development/writing_zeppelin_interpreter.html">Writing Zeppelin Interpreter</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Helium (Experimental)</span></li> <li><a href="/docs/0.10.1/development/helium/overview.html">Overview</a></li> <li><a href="/docs/0.10.1/development/helium/writing_application.html">Writing Helium Application</a></li> <li><a href="/docs/0.10.1/development/helium/writing_spell.html">Writing Helium Spell</a></li> <li><a href="/docs/0.10.1/development/helium/writing_visualization_basic.html">Writing Helium Visualization: Basics</a></li> <li><a href="/docs/0.10.1/development/helium/writing_visualization_transformation.html">Writing Helium Visualization: Transformation</a></li> <li role="separator" class="divider"></li> <li class="title"><span>Contributing to Zeppelin</span></li> <li><a href="/docs/0.10.1/setup/basics/how_to_build.html">How to Build Zeppelin</a></li> <li><a href="/docs/0.10.1/development/contribution/useful_developer_tools.html">Useful Developer Tools</a></li> <li><a href="/docs/0.10.1/development/contribution/how_to_contribute_code.html">How to Contribute (code)</a></li> <li><a href="/docs/0.10.1/development/contribution/how_to_contribute_website.html">How to Contribute (website)</a></li> <li role="separator" class="divider"></li> <li class="title"><span>External Resources</span></li> <li><a target="_blank" rel="noopener noreferrer" href="https://zeppelin.apache.org/community.html">Mailing List</a></li> <li><a target="_blank" rel="noopener noreferrer" href="https://cwiki.apache.org/confluence/display/ZEPPELIN/Zeppelin+Home">Apache Zeppelin Wiki</a></li> <li><a target="_blank" rel="noopener noreferrer" href="http://stackoverflow.com/questions/tagged/apache-zeppelin">Stackoverflow Questions about Zeppelin</a></li> </ul> </li> <li> <a href="/docs/0.10.1/search.html" class="nav-search-link"> <span class="fa fa-search nav-search-icon"></span> </a> </li> </ul> </nav> </div> </div> <div class="content">  <div class="row"> <div class="col-md-12">  <h1>Zeppelin Notebook Authorization</h1> <div id="toc"></div> <h2>Overview</h2> <p>We assume that there is an <strong>Shiro Authentication</strong> component that associates a user string and a set of group strings with every NotebookSocket. If you don't set the authentication components yet, please check <a href="./shiro_authentication.html">Shiro authentication for Apache Zeppelin</a> first.</p> <h2>Authorization Setting</h2> <p>You can set Zeppelin notebook permissions in each notebooks. Of course only <strong>notebook owners</strong> can change this configuration. Just click <strong>Lock icon</strong> and open the permission setting page in your notebook.</p> <p>As you can see, each Zeppelin notebooks has 3 entities :</p> <ul> <li>Owners ( users or groups )</li> <li>Readers ( users or groups )</li> <li>Writers ( users or groups )</li> <li>Runners ( users or groups )</li> </ul> <p><center><img src="/docs/0.10.1/assets/themes/zeppelin/img/docs-img/permission_setting.png"></center></p> <p>Fill out the each forms with comma seperated <strong>users</strong> and <strong>groups</strong> configured in <code>conf/shiro.ini</code> file. If the form is empty (*), it means that any users can perform that operation.</p> <p>If someone who doesn't have <strong>read</strong> permission is trying to access the notebook or someone who doesn't have <strong>write</strong> permission is trying to edit the notebook, or someone who doesn't have <strong>run</strong> permission is trying to run a paragraph Zeppelin will ask to login or block the user.</p> <p>By default, owners and writers have <strong>write</strong> permission, owners, writers and runners have <strong>run</strong> permission, owners, writers, runners and readers have <strong>read</strong> permission</p> <p><center><img src="/docs/0.10.1/assets/themes/zeppelin/img/docs-img/insufficient_privileges.png"></center></p> <h2>Separate notebook workspaces (public vs. private)</h2> <p>By default, the authorization rights allow other users to see the newly created note, meaning the workspace is <code>public</code>. This behavior is controllable and can be set through either <code>ZEPPELIN_NOTEBOOK_PUBLIC</code> variable in <code>conf/zeppelin-env.sh</code>, or through <code>zeppelin.notebook.public</code> property in <code>conf/zeppelin-site.xml</code>. Thus, in order to make newly created note appear only in your <code>private</code> workspace by default, you can set either <code>ZEPPELIN_NOTEBOOK_PUBLIC</code> to <code>false</code> in your <code>conf/zeppelin-env.sh</code> as follows:</p> <div class="highlight"><pre><code class="bash language-bash" data-lang="bash"><span class="nb">export </span><span class="nv">ZEPPELIN_NOTEBOOK_PUBLIC</span><span class="o">=</span><span class="s2">"false"</span> </code></pre></div> <p>or set <code>zeppelin.notebook.public</code> property to <code>false</code> in <code>conf/zeppelin-site.xml</code> as follows:</p> <div class="highlight"><pre><code class="xml language-xml" data-lang="xml"><span class="nt"><property></span> <span class="nt"><name></span>zeppelin.notebook.public<span class="nt"></name></span> <span class="nt"><value></span>false<span class="nt"></value></span> <span class="nt"><description></span>Make notebook public by default when created, private otherwise<span class="nt"></description></span> <span class="nt"></property></span> </code></pre></div> <p>Behind the scenes, when you create a new note only the <code>owners</code> field is filled with current user, leaving <code>readers</code>, <code>runners</code> and <code>writers</code> fields empty. All the notes with at least one empty authorization field are considered to be in <code>public</code> workspace. Thus when setting <code>zeppelin.notebook.public</code> (or corresponding <code>ZEPPELIN_NOTEBOOK_PUBLIC</code>) to false, newly created notes have <code>readers</code>, <code>runners</code>, <code>writers</code> fields filled with current user, making note appear as in <code>private</code> workspace.</p> <h2>How it works</h2> <p>In this section, we will explain the detail about how the notebook authorization works in backend side.</p> <h3>NotebookServer</h3> <p>The <a href="https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookServer.java">NotebookServer</a> classifies every notebook operations into three categories: <strong>Read</strong>, <strong>Run</strong>, <strong>Write</strong>, <strong>Manage</strong>. Before executing a notebook operation, it checks if the user and the groups associated with the <code>NotebookSocket</code> have permissions. For example, before executing a <strong>Read</strong> operation, it checks if the user and the groups have at least one entity that belongs to the <strong>Reader</strong> entities.</p> <h3>Notebook REST API call</h3> <p>Zeppelin executes a <a href="https://github.com/apache/zeppelin/blob/master/zeppelin-server/src/main/java/org/apache/zeppelin/rest/NotebookRestApi.java">REST API call</a> for the notebook permission information. In the backend side, Zeppelin gets the user information for the connection and allows the operation if the users and groups associated with the current user have at least one entity that belongs to owner entities for the notebook.</p> </div> </div> <hr> <footer>  </footer> </div> <script type="text/javascript"> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-45176241-5', 'zeppelin.apache.org'); ga('require', 'linkid', 'linkid.js'); ga('send', 'pageview'); </script> </body> </html>

CINXE.COM

Apache Zeppelin 0.10.1 Documentation: Notebook Authorization in Apache Zeppelin