Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4151

Any user can see configurations and notebooks despite shiro authentication

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.8.1
    • Fix Version/s: 0.9.0
    • Component/s: GUI, Interpreters
    • Labels:
    • Environment:

      Linux

    • Flags:
      Patch, Important

      Description

      Without user impersonification (which is impossible with %spark anyway), a user can just write a simple script to see any file in the Zeppelin folder, including shiro.ini or any notes. So, the users and passwords in shiro become pretty meaningless. Can't zeppelin just disallow such peeking?

      For example, any user can just execute the following in a note to get what is inside the shiro.ini file.

      import scala.sys.process._
      "cat conf/shiro.ini".!!
      

       I know that one can use livy.spark instead for proper user impersonification, but then you can't use ZeppelinContext variable z.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              metallicpriest Hamid Mushtaq

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 336h
                336h
                Remaining:
                Remaining Estimate - 336h
                336h
                Logged:
                Time Spent - Not Specified
                Not Specified

                  Issue deployment