[LIVY-591] ACLs enforcement should occur on both session owner and proxy user - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: 0.6.0
Fix Version/s: None
Component/s: Server
Labels:
None

Description

Currently ACLs enforcement occurs only on session owner. So, a request is authorized if the request user is same as session owner or has correct ACLs configured.

Eg: https://github.com/apache/incubator-livy/blob/master/server/src/main/scala/org/apache/livy/server/interactive/InteractiveSessionServlet.scala#L70

In case of impersonation, proxy user is checked against session owner, instead he should be checked against session proxy. Otherwise, a proxy user who created the session will not be able to submit statements against it, if ACLs are not configured correctly.

Additionally, it seems there is no auth-check right now while creating a session. We should add that check as well (against modify-session acls).

Attachments

Issue Links

duplicates

LIVY-592 Proxy user cannot view its session log

Resolved

links to

GitHub Pull Request #171

Activity

People

Assignee:

Unassigned

Reporter:

Ankur Gupta

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

24/Apr/19 17:32

Updated:

22/Aug/19 02:44

Resolved:

22/Aug/19 02:44

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m