Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-2703

Drop down user's interpreter uid to authenticated user's uid

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • 0.7.0, 0.7.2, 0.8.0
    • None
    • None

    Description

      Would be great if Zeppelin would launch user's Zeppelin interpreter processes under their own uid through setuid() call.

      So then keytabs could be locked down to be accessible to that one user.

      For example, after I LDAP-authenticated as "tagar" user, Zeppelin will drop down uid to tagar user and its keytab will have unix access bits set to 0600.

      As suggested on PR-2407 for ZEPPELIN-1907.

      Another advantage is that for example, user's shell interpreter would find ~ to be correct user's home directory, not a shared service accounts' home directory.

      Notice, that setuid() doesn't require Zeppelin to run as root user. It's only required to set CAP_SETUID Linux capability on the executable so Zeppelin server can change user's interpreter processes from Zeppelin's service account's uid to that specific user's uid.

      Attachments

        Activity

          People

            Unassigned Unassigned
            Tagar Ruslan Dautkhanov
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: