Uploaded image for project: 'Livy'
  1. Livy
  2. LIVY-266

Livy sessions/batches are not secured. Any user can stop another user session/batch

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Works for Me
    • Affects Version/s: 0.3
    • Fix Version/s: None
    • Component/s: Core
    • Labels:
      None

      Description

      Dev,

      Livy session or batches are not currently secured. i.e. User A can start a session or batch and User B can submit code to session started by User A or even stop that session. This is critical issue on secured cluster, when User A is having sensitive data access, there may be a chance User B can access those sensitive datasets through User-A Session.

      Here, is an example from our secured cluster.

      1. Starting session from user "prabhu"

      curl --silent --negotiate -u:prabhu localhost:8998/sessions -X POST -H 'Content-Type: application/json' -d '{
      "kind":"scala",
      "proxyUser":"prabhu",
      "name":"Testing"
      }' | python -m json.tool

      {
      "id": 371,
      "appId": null,
      "owner": "prabhu",
      "proxyUser": "prabhu",
      "state": "starting",
      "kind": "spark",
      "appInfo":

      { "driverLogUrl": null, "sparkUiUrl": null }

      ,
      "log": []
      }

      1. Executing code to above session by some other user "don"

      curl --silent --negotiate -u:don localhost:8998/sessions/371/statements -X POST -H 'Content-Type: application/json' -d '{
      "code":"sc.applicationId"
      }' | python -m json.tool
      {
      "id": 0,
      "state": "available",
      "output": {
      "status": "ok",
      "execution_count": 0,
      "data":

      { "text/plain": "res0: String = application_1476926173701_398436" }

      }
      }

      1. Stopping above session by different user "john" this time

      curl --silent --negotiate -u:john localhost:8998/sessions/371 -X DELETE | python -m json.tool
      {
      "msg": "deleted"
      }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              prabhu1984 Prabhu Kasinathan
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: