You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zeppelin.apache.org by "Dmitry Zhukov (JIRA)" <ji...@apache.org> on 2016/09/27 08:30:20 UTC

[jira] [Created] (ZEPPELIN-1497) %spark and %python interpreters are able to read credentials.json file

Dmitry Zhukov created ZEPPELIN-1497:
---------------------------------------

             Summary: %spark and %python interpreters are able to read credentials.json file
                 Key: ZEPPELIN-1497
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-1497
             Project: Zeppelin
          Issue Type: Bug
    Affects Versions: 0.6.1
            Reporter: Dmitry Zhukov


Currently DB credentials for all users are stored in a plain text file on disk. This file is readable by any interpreter capable of running arbitrary code with Zeppelin user privileges, e.g. %python or %spark.

{code}
%spark
scala.io.Source.fromFile("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json").mkString
{code}
{noformat}
res6: String =
{
  "credentialsMap": {
    "anonymous": {
      "userCredentials": {
        "testdb": {
          "username": "user",
          "password": "pass"
        }
      }
    }
  }
}
{noformat}

{code}
%python
open("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json", 'r').read()
{code}
{noformat}
'{\n  "credentialsMap": {\n    "anonymous": {\n      "userCredentials": {\n        "testdb": {\n          "username": "user",\n          "password": "pass"\n        }\n      }\n    }\n  }\n}'
{noformat}

Basically if one has %python or %spark interpreters enabled it makes the whole credentials store useless and even dangerous.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)