Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
0.6.2, 0.7.0
-
None
-
None
-
None
Description
Currently zeppelin-server will pass user credential info to interpreter process through thrift. This would cause potential security issue as I think the thrift protocol we use for now is not secured. One solution is to enable SSL for thrift.
Besides, there're 2 other problems:
- credential info is saved in conf/credentials.json in plain text.
- credential info is passed to all the interpreters no matter whether this interpreter need this.