Uploaded image for project: 'Livy'
  1. Livy
  2. LIVY-591

ACLs enforcement should occur on both session owner and proxy user

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 0.6.0
    • Fix Version/s: None
    • Component/s: Server
    • Labels:
      None

      Description

      Currently ACLs enforcement occurs only on session owner. So, a request is authorized if the request user is same as session owner or has correct ACLs configured.

      Eg: https://github.com/apache/incubator-livy/blob/master/server/src/main/scala/org/apache/livy/server/interactive/InteractiveSessionServlet.scala#L70

      In case of impersonation, proxy user is checked against session owner, instead he should be checked against session proxy. Otherwise, a proxy user who created the session will not be able to submit statements against it, if ACLs are not configured correctly.

      Additionally, it seems there is no auth-check right now while creating a session. We should add that check as well (against modify-session acls).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ankur.gupta Ankur Gupta
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m