You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "Saisai Shao (Jira)" <ji...@apache.org> on 2021/02/24 01:40:00 UTC
[jira] [Closed] (LIVY-833) Livy allows users to see password in
config files
(spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword,
etc)
[ https://issues.apache.org/jira/browse/LIVY-833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Saisai Shao closed LIVY-833.
----------------------------
Resolution: Won't Fix
> Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)
> --------------------------------------------------------------------------------------------------------------------------------------
>
> Key: LIVY-833
> URL: https://issues.apache.org/jira/browse/LIVY-833
> Project: Livy
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.7.0
> Reporter: Kaidi Zhao
> Priority: Major
> Labels: security
>
> It looks like a regular user (client) of Livy, can use commands like:
> spark.sparkContext.getConf().getAll()
> The command will retry all spark configurations including those passwords (such as spark.ssl.trustStorePassword, spark.ssl.keyPassword).
> I would suggest to block / mask these password.
> PS, Spark's UI fixed this issue in this https://issues.apache.org/jira/browse/SPARK-16796
--
This message was sent by Atlassian Jira
(v8.3.4#803005)