Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4151

Any user can see configurations and notebooks despite shiro authentication

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 0.8.1
    • 0.9.0
    • GUI, Interpreters

    • Linux

    • Patch, Important

    Description

      Without user impersonification (which is impossible with %spark anyway), a user can just write a simple script to see any file in the Zeppelin folder, including shiro.ini or any notes. So, the users and passwords in shiro become pretty meaningless. Can't zeppelin just disallow such peeking?

      For example, any user can just execute the following in a note to get what is inside the shiro.ini file.

      import scala.sys.process._
"cat conf/shiro.ini".!!

       I know that one can use livy.spark instead for proper user impersonification, but then you can't use ZeppelinContext variable z.

      Attachments

        Issue Links

          blocks

          Task - A task that needs to be done. ZEPPELIN-4317 Release version 0.8.2

          • Major - Major loss of function.
          • Resolved
          relates to

          New Feature - A new feature of the product, which has yet to be developed. ZEPPELIN-4053 Implement impersonation via c native api

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              metallicpriest Hamid Mushtaq
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - 336h
                  336h
                  Remaining:
                  Remaining Estimate - 336h
                  336h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified