Zeppelin should support standard protocols for authN and AuthZ

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Zeppelin should support standard protocols for authN and AuthZ

mbatista
In order to make Zeppelin more easy to integrate in the modern cloud environments where authentication and authorization are done by having a centralized server for all the apps, Zeppelin shall support standard protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the Authorization server and make the policy enforcement point in Zeppelin itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA language.

Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin should support standard protocols for authN and AuthZ

Jongyoul Lee
Hi,

Can you explain or give me an idea for it more detail?



On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:
In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



--
이종열, Jongyoul Lee, 李宗烈
Reply | Threaded
Open this post in threaded view
|

RE: Zeppelin should support standard protocols for authN and AuthZ

mbatista

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈

Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin should support standard protocols for authN and AuthZ

Jeff Zhang

Do you mean to remove shiro ? shiro is pluggable, maybe it supports the protocols you mentioned

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>于2017年3月24日周五 上午2:04写道:

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈


image002.jpg (82K) Download Attachment
image002.jpg (82K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Zeppelin should support standard protocols for authN and AuthZ

mbatista

You dont need to remove Shiro but it would be nice if you had a way to set Zeppelin to use external Authentication & Authorization servers.

Of course that requires that Zeppelin is able to interpret and enforce the policies that are stored in the central authorization server.

 

Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

 

So the ideia was to put the permission handling logic inside zeppelin and you could use whatever authorization server you might use….as long as you use the standard protocols…

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Friday, March 24, 2017 2:37 AM
To: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

 

Do you mean to remove shiro ? shiro is pluggable, maybe it supports the protocols you mentioned

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017324日周五 上午2:04写道:

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈

Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin should support standard protocols for authN and AuthZ

Jeff Zhang
>>> Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc
Don't understand this, why it would have duplicated identities, groups ? Currently only shiro authentication is integrated in zeppelin, as long we integrate shiro authorization, there should be only one central place for authentication and authorization.

  


Batista, Mario (Nokia - PT/Amadora) <[hidden email]>于2017年3月27日周一 下午5:50写道:

You dont need to remove Shiro but it would be nice if you had a way to set Zeppelin to use external Authentication & Authorization servers.

Of course that requires that Zeppelin is able to interpret and enforce the policies that are stored in the central authorization server.

 

Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

 

So the ideia was to put the permission handling logic inside zeppelin and you could use whatever authorization server you might use….as long as you use the standard protocols…

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Friday, March 24, 2017 2:37 AM
To: [hidden email]


Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

 

Do you mean to remove shiro ? shiro is pluggable, maybe it supports the protocols you mentioned

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017324日周五 上午2:04写道:

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈

Reply | Threaded
Open this post in threaded view
|

RE: Zeppelin should support standard protocols for authN and AuthZ

mbatista

The use case is to use Zeppelin and all tools/applications that belongs to  the SaaS layer authenticate and authorize users via 1 AuthN and AuthZ server which is not Apache Shiro. So all the users, groups, roles,  entitlements and policies are stored on the AuthN and AuthZ server and apps just use it.

 

If Zeppelin only relies on Shiro then all the user, groups, roles,  entitlements and policies stored in the AuthN and AuthZ server have to be transferred to Shiro DB as well.

Correct?

 

So then info get duplicated. That’s what I mean.

 

BR,

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Monday, March 27, 2017 11:04 AM
To: Batista, Mario (Nokia - PT/Amadora) <[hidden email]>
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

>>> Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

Don't understand this, why it would have duplicated identities, groups ? Currently only shiro authentication is integrated in zeppelin, as long we integrate shiro authorization, there should be only one central place for authentication and authorization.

 

  

 

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017327日周一 下午5:50写道:

You dont need to remove Shiro but it would be nice if you had a way to set Zeppelin to use external Authentication & Authorization servers.

Of course that requires that Zeppelin is able to interpret and enforce the policies that are stored in the central authorization server.

 

Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

 

So the ideia was to put the permission handling logic inside zeppelin and you could use whatever authorization server you might use….as long as you use the standard protocols…

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Friday, March 24, 2017 2:37 AM
To: [hidden email]


Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

 

Do you mean to remove shiro ? shiro is pluggable, maybe it supports the protocols you mentioned

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017324日周五 上午2:04写道:

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈

Reply | Threaded
Open this post in threaded view
|

Re: Zeppelin should support standard protocols for authN and AuthZ

Vinay Shukla

I agree, it will be useful to have Zeppelin ATN  & ATZ more pluggable. 

For ATN, if Zeppelin accepted identities vouched for in an upstream system, it can support most ATN protocols.

In Hadoop ecosystem, Apache Knox is used for Authentication. Knox already support SAML based identity assertion and adding OAuth to it relatively simple.

I think we can solve this usecase with Zeppelin + Knox integration, such that Knox will authentication the end user (via SAML, OAuth, Plain LDAP) and pass a signed identity to Zeppelin. 

We can try to solve this w/o Knox but I don't think Zeppelin should implement support for SAML, OAuth flows in itself.

For ATZ, Zeppelin should do the following
  1. Invent roles for Zeppelin-Admin and Zeppelin-User.
  2. Categories UI functionality around these roles
  3. Wrap access to sensitive functionality with calls to a Pluggable Authorizer.
The pluggable authorization could then use systems like Apache Ranger or Apache Sentry.

Look forward to comments and a discussion.

Thanks,
Vinay







On Mon, Mar 27, 2017 at 8:46 AM, Batista, Mario (Nokia - PT/Amadora) <[hidden email]> wrote:

The use case is to use Zeppelin and all tools/applications that belongs to  the SaaS layer authenticate and authorize users via 1 AuthN and AuthZ server which is not Apache Shiro. So all the users, groups, roles,  entitlements and policies are stored on the AuthN and AuthZ server and apps just use it.

 

If Zeppelin only relies on Shiro then all the user, groups, roles,  entitlements and policies stored in the AuthN and AuthZ server have to be transferred to Shiro DB as well.

Correct?

 

So then info get duplicated. That’s what I mean.

 

BR,

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Monday, March 27, 2017 11:04 AM
To: Batista, Mario (Nokia - PT/Amadora) <[hidden email]>
Cc: [hidden email]


Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

>>> Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

Don't understand this, why it would have duplicated identities, groups ? Currently only shiro authentication is integrated in zeppelin, as long we integrate shiro authorization, there should be only one central place for authentication and authorization.

 

  

 

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017327日周一 下午5:50写道:

You dont need to remove Shiro but it would be nice if you had a way to set Zeppelin to use external Authentication & Authorization servers.

Of course that requires that Zeppelin is able to interpret and enforce the policies that are stored in the central authorization server.

 

Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

 

So the ideia was to put the permission handling logic inside zeppelin and you could use whatever authorization server you might use….as long as you use the standard protocols…

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Friday, March 24, 2017 2:37 AM
To: [hidden email]


Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

 

Do you mean to remove shiro ? shiro is pluggable, maybe it supports the protocols you mentioned

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017324日周五 上午2:04写道:

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈


Reply | Threaded
Open this post in threaded view
|

RE: Zeppelin should support standard protocols for authN and AuthZ

mbatista

Hi Vinay,

 

Thank you for your comments. I think you understood the point…

 

I agree with you if we only consider the Hadoop Ecosystem, although the use case I am talking about is a mix ecosystem and not necessary Hadoop.

Is Apache Knox compatible for instance with KONG Gateway or other API Gateways? If not then again we will we dependent  by Knox

 

Another thing is in some configuration you might not need an API Gateway so in that case having the client side of the protocol directly implemented on Zeppelin make more flexible.

 

Regarding protocols, besides SAML is still used I think we  should use new trends

 

 

 

 

 

By using UMA for instance every resource you need to protected (notebooks, DB connects, etc, etc, etc) are managed by a Resource Server that gives access to users depending on the Resource Owners…

 

See https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-01.html

 

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Vinay Shukla [mailto:[hidden email]]
Sent: Monday, March 27, 2017 10:32 PM
To: [hidden email]
Cc: Jeff Zhang <[hidden email]>
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

 

I agree, it will be useful to have Zeppelin ATN  & ATZ more pluggable. 

 

For ATN, if Zeppelin accepted identities vouched for in an upstream system, it can support most ATN protocols.

 

In Hadoop ecosystem, Apache Knox is used for Authentication. Knox already support SAML based identity assertion and adding OAuth to it relatively simple.

 

I think we can solve this usecase with Zeppelin + Knox integration, such that Knox will authentication the end user (via SAML, OAuth, Plain LDAP) and pass a signed identity to Zeppelin. 

 

We can try to solve this w/o Knox but I don't think Zeppelin should implement support for SAML, OAuth flows in itself.

 

For ATZ, Zeppelin should do the following

  1. Invent roles for Zeppelin-Admin and Zeppelin-User.
  2. Categories UI functionality around these roles
  3. Wrap access to sensitive functionality with calls to a Pluggable Authorizer.

The pluggable authorization could then use systems like Apache Ranger or Apache Sentry.

 

Look forward to comments and a discussion.

 

Thanks,

Vinay

 

 

 

 

 

 

 

On Mon, Mar 27, 2017 at 8:46 AM, Batista, Mario (Nokia - PT/Amadora) <[hidden email]> wrote:

The use case is to use Zeppelin and all tools/applications that belongs to  the SaaS layer authenticate and authorize users via 1 AuthN and AuthZ server which is not Apache Shiro. So all the users, groups, roles,  entitlements and policies are stored on the AuthN and AuthZ server and apps just use it.

 

If Zeppelin only relies on Shiro then all the user, groups, roles,  entitlements and policies stored in the AuthN and AuthZ server have to be transferred to Shiro DB as well.

Correct?

 

So then info get duplicated. That’s what I mean.

 

BR,

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Monday, March 27, 2017 11:04 AM
To: Batista, Mario (Nokia - PT/Amadora) <[hidden email]>
Cc: [hidden email]


Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

>>> Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

Don't understand this, why it would have duplicated identities, groups ? Currently only shiro authentication is integrated in zeppelin, as long we integrate shiro authorization, there should be only one central place for authentication and authorization.

 

  

 

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017327日周一 下午5:50写道:

You dont need to remove Shiro but it would be nice if you had a way to set Zeppelin to use external Authentication & Authorization servers.

Of course that requires that Zeppelin is able to interpret and enforce the policies that are stored in the central authorization server.

 

Pluging in Apache Shiro can be an option but it still means that you still have duplicate identities, groups, roles etc

 

So the ideia was to put the permission handling logic inside zeppelin and you could use whatever authorization server you might use….as long as you use the standard protocols…

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jeff Zhang [mailto:[hidden email]]
Sent: Friday, March 24, 2017 2:37 AM
To: [hidden email]


Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

 

Do you mean to remove shiro ? shiro is pluggable, maybe it supports the protocols you mentioned

 

Batista, Mario (Nokia - PT/Amadora) <[hidden email]>2017324日周五 上午2:04写道:

Hi,

 

Yes of course.

 

Currently as far as I understand Authentication and authorization is implemented by making use of Apache Shiro, correct?

The intention here is to detach or not-bind Zeppelin to a specific solution by making use of standard protocols for Authentication and Authorization.

 

Example use case:

 

 

 

-------------------------------------------------------

Mário Batista

NOKIA

Product Owner

MN GS DE Tools NPO Automation

-------------------------------------------------------

 

From: Jongyoul Lee [mailto:[hidden email]]
Sent: Monday, March 20, 2017 11:22 AM
To: [hidden email]
Cc: [hidden email]
Subject: Re: Zeppelin should support standard protocols for authN and AuthZ

 

Hi,

 

Can you explain or give me an idea for it more detail?

 

 

 

On Mon, Mar 20, 2017 at 7:02 PM, mbatista <[hidden email]> wrote:

In order to make Zeppelin more easy to integrate in the modern cloud
environments where authentication and authorization are done by having a
centralized server for all the apps, Zeppelin shall support standard
protocols for IAM purposes.

Regarding authentication

-OpenId connect protocol

Authorization

-UMA protocol (user access management), which is a OAuth2.0 profile.

This allows Resources owners to write their access control policies on the
Authorization server and make the policy enforcement point in Zeppelin
itself, for instance.

A common language for policy expression can be XACML or the emerging ALFA
language.





--
View this message in context: http://apache-zeppelin-users-incubating-mailing-list.75479.x6.nabble.com/Zeppelin-should-support-standard-protocols-for-authN-and-AuthZ-tp5247.html
Sent from the Apache Zeppelin Users (incubating) mailing list mailing list archive at Nabble.com.



 

--

이종열, Jongyoul Lee, 李宗烈