You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Hamid Mushtaq (JIRA)" <ji...@apache.org> on 2019/05/11 18:59:00 UTC

[jira] [Created] (ZEPPELIN-4151) A user can see configurations and notebooks despite shiro authentication

Hamid Mushtaq created ZEPPELIN-4151:
---------------------------------------

             Summary: A user can see configurations and notebooks despite shiro authentication
                 Key: ZEPPELIN-4151
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4151
             Project: Zeppelin
          Issue Type: Bug
          Components: GUI, Interpreters
    Affects Versions: 0.8.1
         Environment: Linux
            Reporter: Hamid Mushtaq
             Fix For: 0.9.0, 0.8.2


Without user impersonification (which is impossible with %spark anyway), a user can just write a simple script to see any file in the Zeppelin folder, including shiro.ini or any notes. So, the users and passwords in shiro become pretty meaningless. Can't zeppelin just disallow such peeking?

For example, I can just execute the following in a note to get what is inside the shiro.ini file.

 
{code:java}
import scala.sys.process._
"cat conf/shiro.ini".!!
{code}
 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)