Security

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>Security</title> <meta name="description" content="This page explains what security characteristics can be expected from Zeppelin, what measures operators of a Zeppelin instance will have to take, and how to report any security issues found in the Zeppelin software."> <meta name="author" content="The Apache Software Foundation">  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" integrity="sha384-wvfXpqpZZVQGK6TAh5PVlGOfQNHSoD2xbE+QkPxCAFlNEevoEH3Sl0sibVcOQVnN" crossorigin="anonymous"> <link href="https://fonts.googleapis.com/icon?family=Material+Icons"> <link href="/assets/themes/zeppelin/bootstrap/css/bootstrap.css" rel="stylesheet"> <link href="/assets/themes/zeppelin/css/style.css?body=1" rel="stylesheet" type="text/css"> <link href="/assets/themes/zeppelin/css/syntax.css" rel="stylesheet" type="text/css" media="screen" />   <link rel="apple-touch-icon" sizes="180x180" href="/assets/themes/zeppelin/img/favicon/apple-touch-icon.png"> <link rel="icon" type="image/png" sizes="32x32" href="/assets/themes/zeppelin/img/favicon/favicon-32x32.png"> <link rel="icon" type="image/png" sizes="16x16" href="/assets/themes/zeppelin/img/favicon/favicon-16x16.png"> <link rel="icon" type="image/png" href="/assets/themes/zeppelin/img/favicon/favicon.ico"> <link rel="manifest" href="/assets/themes/zeppelin/img/favicon/manifest.json"> <link rel="mask-icon" href="/assets/themes/zeppelin/img/favicon/safari-pinned-tab.svg" color="#438bc9"> <meta name="theme-color" content="#ffffff">  <script src="https://code.jquery.com/jquery-1.10.2.min.js"></script> <script src="https://ajax.googleapis.com/ajax/libs/angularjs/1.3.15/angular.min.js"></script>  <script src="https://angular-ui.github.io/bootstrap/ui-bootstrap-tpls-2.5.0.js"></script> <script src="/assets/themes/zeppelin/bootstrap/js/bootstrap.min.js"></script> <script src="/assets/themes/zeppelin/js/docs.js"></script> <script src="/assets/themes/zeppelin/js/anchor.min.js"></script> <script src="/assets/themes/zeppelin/js/moment.min.js"></script> <script src="/assets/themes/zeppelin/js/helium.controller.js"></script> <script src="/assets/themes/zeppelin/js/medium.controller.js"></script>  <link href="/atom.xml" type="application/atom+xml" rel="alternate" title="Sitewide ATOM Feed"> <link href="/rss.xml" type="application/rss+xml" rel="alternate" title="Sitewide RSS Feed"> </head> <body> <div class="navbar navbar-inverse navbar-fixed-top" role="navigation"> <div class="container"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/"> <img src="/assets/themes/zeppelin/img/zeppelin_logo.png" style="margin-top: -6px;" width="50" alt="I'm zeppelin"> <span style="margin-left: 5px;"> Apache Zeppelin </span> </a> </div> <nav class="navbar-collapse collapse" role="navigation"> <ul class="nav navbar-nav navbar-right"> <li><a href="/docs/latest/quickstart/install.html">Quick Start</a></li>  <li class="docs"> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Download<b class="caret"></b></a> <ul class="dropdown-menu"> <li><a href="/download.html">Download Zeppelin</a></li> <li><a href="/supported_interpreters.html">Supported Interpreters</a></li> </ul> </li>  <li class="docs"> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Docs<b class="caret"></b></a> <ul class="dropdown-menu"> <li class="title"><span><b>Release</b></span></li> <li><a href="/docs/0.11.2">0.11.2</a></li> <li><a href="/docs/0.11.1">0.11.1</a></li> <li><a href="/docs/0.11.0">0.11.0</a></li> <li><a href="/docs/0.10.1">0.10.1</a></li> <li><a href="/docs/0.10.0">0.10.0</a></li> <li><a href="/docs/0.9.0">0.9.0</a></li> <li><a href="/docs/0.8.2">0.8.2</a></li> <li><a href="documentation.html">Older Versions</a></li> <li class="title"><span><b><a href="security.html">Security</a></b><span></li> </ul> </li> <li><a href="/helium_packages.html">Helium</a></li> <li class="docs"> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Community<b class="caret"></b></a> <ul class="dropdown-menu"> <li><a href="/community.html">Contributors</a></li> <li><a href="https://github.com/apache/zeppelin">GitHub</a></li> </ul> </li>  <li class="docs"> <a href="#" data-toggle="dropdown" class="dropdown-toggle">Apache<b class="caret"></b></a> <ul class="dropdown-menu"> <li><a href="http://www.apache.org/foundation/how-it-works.html">Apache Software Foundation</a></li> <li><a href="http://www.apache.org/licenses/">Apache License</a></li> <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> <li><a href="/assets.html">Assets</a></li> <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li> </ul> </li> </ul> </nav> </div> </div> <div class="content">  <div class="row"> <div class="col-md-12">  <h1>Zeppelin Security</h1> <p>This page explains what security characteristics can be expected from Zeppelin, what measures operators of a Zeppelin instance will have to take, and how to report any security issues found in the Zeppelin software.</p> <h2>Code execution on the server</h2> <p>It is the nature of the Zeppelin software that it allows uploading code from the browser and executing it on the server.</p> <p>Because of this, you should make sure your Zeppelin instance is only available to trusted users, and the server on which Zeppelin is installed does not contain any secrets or have privileges beyond those the users are trusted with.</p> <p>All interpreters should be assumed to be able to access the local shell and execute arbitrary commands with the privileges of the user running the Zeppelin server. As generic interpreters such as sh, Groovy, Java and Python make this especially trivial, we plan to disable the sh interpreter by default from version 0.11.1 onward.</p> <h3>Zeppelin on Docker</h3> <p>An exception to the above is when the Zeppelin interpreter is <a href="https://zeppelin.apache.org/docs/latest/quickstart/docker.html">run in a Docker container</a>. This isolates the operating environment of the interpreter through the docker container.</p> <h3>Zeppelin on Kubernetes</h3> <p>A similar exception exists when Zeppelin is <a href="https://zeppelin.apache.org/docs/latest/quickstart/kubernetes.html">deployed on Kubernetes</a>. In this case Zeppelin creates pods for individual interpreters, and also the Spark interpreter is auto configured to use Spark on Kubernetes in client mode.</p> <h2>JavaScript code execution in the browser</h2> <p>Zeppelin allows notes to produce rich output, including HTML and even executing JavaScript code. This means that when users view each others' notes, HTML and JavaScript controlled by the creator of the note will be executed in the browser that views it.</p> <p>Because of this, you should make sure your Zeppelin instance is only available to trusted users. When deploying Zeppelin on a domain that is shared with other applications, appropriate measures may have to be taken to avoid a compromised Zeppelin notebook to also grant access to other services on the same domain.</p> <h2>Authentication</h2> <p>If you expose your Zeppelin instance on a network you don't fully trust, you should configure <a href="https://zeppelin.apache.org/docs/latest/setup/security/shiro_authentication.html">Apache Shiro authentication</a>.</p> <p>Non-authenticated users cannot view, store or execute notes, so they cannot execute code on the server or on other users' browsers. Authenticated users, however, have the same access as described above, so even when using authentication it is still important to only give trusted users access to Zeppelin. Specifically, unless Docker or K8s isolation has been configured as mentioned above, users technically have access to all notes by other users.</p> <h2>Executable verification</h2> <p>When running Zeppelin service, be mindful that it utilizes executables which might be pre-installed on your server or container. These executables could potentially be altered for malicious purposes. To mitigate this risk, it's recommended to set the paths to trusted locations for these executables, such as PYTHON and SPARK_HOME.</p> <h1>Reporting security issues</h1> <p>If you have found a potential security issue in Zeppelin, such as a way to bypass the Shiro authentication, we encourage you to report this problem at <a href="mailto:security@zeppelin.apache.org">security@zeppelin.apache.org</a>. This is a private mailing list. Please send one plain-text email for each vulnerability you are reporting.</p> <h2>Vulnerability handling</h2> <p>An overview of the vulnerability handling process is:</p> <ul> <li>The reporter reports the vulnerability privately to <a href="mailto:security@zeppelin.apache.org">security@zeppelin.apache.org</a>.</li> <li>The Zeppelin project security team works privately with the reporter to resolve the vulnerability.</li> <li>The Zeppelin project creates a new release of the package the vulnerability affects to deliver its fix.</li> <li>The Zeppelin project publicly announces the vulnerability and describes how to apply the fix.</li> </ul> <p>Committers should read a <a href="https://www.apache.org/security/committers.html">more detailed description of the process</a>. Reporters of security vulnerabilities may also find it useful.</p> </div> </div> </div> <footer>  </footer> </body> </html>

CINXE.COM

Security