Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.7.3
-
None
-
None
-
Apache Zeppelin 0.7.3
Apache Spark 2.2 CDH
YARN Cloudera 5.14
Description
Following on this issue which was merged long time ago:
https://issues.apache.org/jira/browse/ZEPPELIN-987
I have two problems with this way of "securing" endpoints especially in interpreters:
- If users are not supposed to access these 3 areas, shouldn't the UI be smarter and hide them as well? Not really ergonomic to display a choice and then say sorry you can't touch this.
- The bigger issue that I am just facing is users can't restart their Spark interpreter after securing `/api/interpreter/**`. It says you are not authorised to access /api/interpreters/settings/restart/xxxx.
It is really important for users to start a fresh Spark context since the sessions are not terminated after some idle time (at least not in 0.7.3) like Livy. So users may need to create a fresh Spark context/session and destroy old variables/UI.
Update: I am changing this to a bug as this is possible when the interpreter is Livy. Users can restart their own interpreter from their notebook without seeing the error.
Here is the conf for shiro:
/api/version = authc, roles[admin] /api/interpreter/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] /api/credential/** = authc, roles[admin] /api/notebook-repositories/** = authc, roles[admin] /app/jobmanager/** = authc, roles[admin] /** = authc
UPDATE2: I was wrong! The restart interpreter is not working for users no matter what (Spark or Livy).