Weird problem with notebook permissions, can change them eve if I'm not owner

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Weird problem with notebook permissions, can change them eve if I'm not owner

Luis Angel Vicente Sanchez
Hi,

I found that I can change permission of notebooks even if I only have
read access using the UI or sending calls to the REST API. I have tested
this against Zeppelin 0.7.1

If I check the logs I can see lots of line like these ones:

 INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
 NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
 permissions. Connection owners [admin]. Allowed owners [admin, analyst]
 INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
 NotebookRestApi.java[putNotePermissions]:207) - Set permissions
 2CGGE4ETT admin [admin, analyst] [admin, analyst] [admin, analyst]

I get those errors in the logs even if I'm the owner.

Regards,

Luis Angel Vicente Sanchez
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Weird problem with notebook permissions, can change them eve if I'm not owner

Luis Angel Vicente Sanchez
I found that the "Cannot change permissions is always printed even if
you have the rights to change the permissions. But anyway, I can change
permissions even if I only have read access. Check the following log
messages:

 INFO [2017-09-08 14:28:41,045] ({qtp1753447031-3709}
 NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
 permissions. Connection owners [client2]. Allowed owners [client1]
 INFO [2017-09-08 14:28:41,045] ({qtp1753447031-3709}
 NotebookRestApi.java[putNotePermissions]:207) - Set permissions
 2CRXM67WA client2 [client1 ] [client2 ] [client1 ]

client1 and client2 have different roles (one is analyst the other is
user) so... I shouldn't be allowed to change the permissions.

This is on Zeppelin 0.7.1

--
  Luis Angel Vicente Sanchez
  [hidden email]

On Fri, 8 Sep 2017, at 14:57, Luis Angel Vicente Sanchez wrote:

> Hi,
>
> I found that I can change permission of notebooks even if I only have
> read access using the UI or sending calls to the REST API. I have tested
> this against Zeppelin 0.7.1
>
> If I check the logs I can see lots of line like these ones:
>
>  INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
>  NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
>  permissions. Connection owners [admin]. Allowed owners [admin, analyst]
>  INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
>  NotebookRestApi.java[putNotePermissions]:207) - Set permissions
>  2CGGE4ETT admin [admin, analyst] [admin, analyst] [admin, analyst]
>
> I get those errors in the logs even if I'm the owner.
>
> Regards,
>
> Luis Angel Vicente Sanchez
> [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Weird problem with notebook permissions, can change them eve if I'm not owner

Luis Angel Vicente Sanchez
Ok... problem found, zeppelin.anonymous.enabled was not set to false. I
would say that the message saying that it's ignoring the owner of a
notebook because the anonymous access is enabled should be an INFO level
message and not a DEBUG one.
--
  Luis Angel Vicente Sanchez
  [hidden email]

On Fri, 8 Sep 2017, at 16:00, Luis Angel Vicente Sanchez wrote:

> I found that the "Cannot change permissions is always printed even if
> you have the rights to change the permissions. But anyway, I can change
> permissions even if I only have read access. Check the following log
> messages:
>
>  INFO [2017-09-08 14:28:41,045] ({qtp1753447031-3709}
>  NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
>  permissions. Connection owners [client2]. Allowed owners [client1]
>  INFO [2017-09-08 14:28:41,045] ({qtp1753447031-3709}
>  NotebookRestApi.java[putNotePermissions]:207) - Set permissions
>  2CRXM67WA client2 [client1 ] [client2 ] [client1 ]
>
> client1 and client2 have different roles (one is analyst the other is
> user) so... I shouldn't be allowed to change the permissions.
>
> This is on Zeppelin 0.7.1
>
> --
>   Luis Angel Vicente Sanchez
>   [hidden email]
>
> On Fri, 8 Sep 2017, at 14:57, Luis Angel Vicente Sanchez wrote:
> > Hi,
> >
> > I found that I can change permission of notebooks even if I only have
> > read access using the UI or sending calls to the REST API. I have tested
> > this against Zeppelin 0.7.1
> >
> > If I check the logs I can see lots of line like these ones:
> >
> >  INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
> >  NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
> >  permissions. Connection owners [admin]. Allowed owners [admin, analyst]
> >  INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
> >  NotebookRestApi.java[putNotePermissions]:207) - Set permissions
> >  2CGGE4ETT admin [admin, analyst] [admin, analyst] [admin, analyst]
> >
> > I get those errors in the logs even if I'm the owner.
> >
> > Regards,
> >
> > Luis Angel Vicente Sanchez
> > [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Weird problem with notebook permissions, can change them eve if I'm not owner

Raffaele S
Hello, if this is the case, can you please open a JIRA issue?

Raffaele

2017-09-08 18:18 GMT+02:00 Luis Angel Vicente Sanchez <[hidden email]>:
Ok... problem found, zeppelin.anonymous.enabled was not set to false. I
would say that the message saying that it's ignoring the owner of a
notebook because the anonymous access is enabled should be an INFO level
message and not a DEBUG one.
--
  Luis Angel Vicente Sanchez
  [hidden email]

On Fri, 8 Sep 2017, at 16:00, Luis Angel Vicente Sanchez wrote:
> I found that the "Cannot change permissions is always printed even if
> you have the rights to change the permissions. But anyway, I can change
> permissions even if I only have read access. Check the following log
> messages:
>
>  INFO [2017-09-08 14:28:41,045] ({qtp1753447031-3709}
>  NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
>  permissions. Connection owners [client2]. Allowed owners [client1]
>  INFO [2017-09-08 14:28:41,045] ({qtp1753447031-3709}
>  NotebookRestApi.java[putNotePermissions]:207) - Set permissions
>  2CRXM67WA client2 [client1 ] [client2 ] [client1 ]
>
> client1 and client2 have different roles (one is analyst the other is
> user) so... I shouldn't be allowed to change the permissions.
>
> This is on Zeppelin 0.7.1
>
> --
>   Luis Angel Vicente Sanchez
>   [hidden email]
>
> On Fri, 8 Sep 2017, at 14:57, Luis Angel Vicente Sanchez wrote:
> > Hi,
> >
> > I found that I can change permission of notebooks even if I only have
> > read access using the UI or sending calls to the REST API. I have tested
> > this against Zeppelin 0.7.1
> >
> > If I check the logs I can see lots of line like these ones:
> >
> >  INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
> >  NotebookRestApi.java[ownerPermissionError]:109) - Cannot change
> >  permissions. Connection owners [admin]. Allowed owners [admin, analyst]
> >  INFO [2017-09-08 13:52:33,140] ({qtp1753447031-2786}
> >  NotebookRestApi.java[putNotePermissions]:207) - Set permissions
> >  2CGGE4ETT admin [admin, analyst] [admin, analyst] [admin, analyst]
> >
> > I get those errors in the logs even if I'm the owner.
> >
> > Regards,
> >
> > Luis Angel Vicente Sanchez
> > [hidden email]