You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "Saisai Shao (Jira)" <ji...@apache.org> on 2021/02/24 01:40:00 UTC
[jira] [Commented] (LIVY-833) Livy allows users to see password in
config files
(spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword,
etc)
[ https://issues.apache.org/jira/browse/LIVY-833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17289457#comment-17289457 ]
Saisai Shao commented on LIVY-833:
----------------------------------
This is the problem of Spark, not Livy. Spark uses the configuration to store everything including passwords, and user could get configurations within application through many ways. Besides Livy, user still could get password by using spark-shell, spark-submit and others.
If user could submit code through Livy to spark when Livy security is enabled, it means user permission to execute code, it is acceptable to see the passwords.
> Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: LIVY-833
> URL: https://issues.apache.org/jira/browse/LIVY-833
> Project: Livy
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.7.0
> Reporter: Kaidi Zhao
> Priority: Major
> Labels: security
>
> It looks like a regular user (client) of Livy, can use commands like:
> spark.sparkContext.getConf().getAll()
> The command will retry all spark configurations including those passwords (such as spark.ssl.trustStorePassword, spark.ssl.keyPassword).
> I would suggest to block / mask these password.
> PS, Spark's UI fixed this issue in this https://issues.apache.org/jira/browse/SPARK-16796
--
This message was sent by Atlassian Jira
(v8.3.4#803005)