Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.6.1
-
None
-
None
-
None
Description
Currently DB credentials for all users are stored in a plain text file on disk. This file is readable by any interpreter capable of running arbitrary code with Zeppelin user privileges, e.g. %python or %spark.
%spark
scala.io.Source.fromFile("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json").mkString
res6: String =
{
"credentialsMap": {
"anonymous": {
"userCredentials": {
"testdb": {
"username": "user",
"password": "pass"
}
}
}
}
}
%python open("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json", 'r').read()
'{\n "credentialsMap": {\n "anonymous": {\n "userCredentials": {\n "testdb": {\n "username": "user",\n "password": "pass"\n }\n }\n }\n }\n}'
Basically if one has %python or %spark interpreters enabled it makes the whole credentials store useless and even dangerous.