-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Duplicate
-
Affects Version/s: 0.6.0
-
Fix Version/s: None
-
Component/s: Server
-
Labels:None
Currently ACLs enforcement occurs only on session owner. So, a request is authorized if the request user is same as session owner or has correct ACLs configured.
In case of impersonation, proxy user is checked against session owner, instead he should be checked against session proxy. Otherwise, a proxy user who created the session will not be able to submit statements against it, if ACLs are not configured correctly.
Additionally, it seems there is no auth-check right now while creating a session. We should add that check as well (against modify-session acls).
- duplicates
-
LIVY-592 Proxy user cannot view its session log
-
- Resolved
-
- links to