You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "shanyu zhao (JIRA)" <ji...@apache.org> on 2018/11/30 06:13:00 UTC

[jira] [Commented] (LIVY-266) Livy sessions/batches are not secured. Any user can stop another user session/batch

    [ https://issues.apache.org/jira/browse/LIVY-266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16704312#comment-16704312 ] 

shanyu zhao commented on LIVY-266:
----------------------------------

[~tc0312] are you saying that all the requests are actually using SPNEGO with identity "prabhu", therefore it all works fine. If a different user tries to post statements or kill sessions owned by user "prabhu", livy will deny that request?

If knox is used to access livy in a keberized cluster, and knox user is configured as "livy.superusers", then proxyUser field is enforced for post /sessions request, However, post statements request to any sessions from knox server to livy server will always be successful because the caller identity is knox user not the end user. How does livy find out who is making the request to it?

> Livy sessions/batches are not secured. Any user can stop another user session/batch
> -----------------------------------------------------------------------------------
>
>                 Key: LIVY-266
>                 URL: https://issues.apache.org/jira/browse/LIVY-266
>             Project: Livy
>          Issue Type: Task
>          Components: Core
>    Affects Versions: 0.3
>            Reporter: Prabhu Kasinathan
>            Priority: Major
>
> Dev,
> Livy session or batches are not currently secured. i.e. User A can start a session or batch and User B can submit code to session started by User A or even stop that session. This is critical issue on secured cluster, when User A is having sensitive data access, there may be a chance User B can access those sensitive datasets through User-A Session.
> Here, is an example from our secured cluster.
> # Starting session from user "prabhu"
> curl --silent --negotiate -u:prabhu localhost:8998/sessions -X POST -H 'Content-Type: application/json' -d '{
>   "kind":"scala",
>   "proxyUser":"prabhu",
>   "name":"Testing"
> }' | python -m json.tool
> {
>     "id": 371,
>     "appId": null,
>     "owner": "prabhu",
>     "proxyUser": "prabhu",
>     "state": "starting",
>     "kind": "spark",
>     "appInfo": {
>         "driverLogUrl": null,
>         "sparkUiUrl": null
>     },
>     "log": []
> }
> # Executing code to above session by some other user "don"
> curl --silent --negotiate -u:don localhost:8998/sessions/371/statements -X POST -H 'Content-Type: application/json' -d '{
>   "code":"sc.applicationId"
> }' | python -m json.tool
> {
>     "id": 0,
>     "state": "available",
>     "output": {
>         "status": "ok",
>         "execution_count": 0,
>         "data": {
>             "text/plain": "res0: String = application_1476926173701_398436"
>         }
>     }
> }
> # Stopping above session by different user "john" this time
> curl --silent --negotiate -u:john localhost:8998/sessions/371 -X DELETE | python -m json.tool
> {
>     "msg": "deleted"
> }



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)