You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "Ankur Gupta (JIRA)" <ji...@apache.org> on 2019/04/24 17:33:00 UTC
[jira] [Created] (LIVY-591) ACLs enforcement should occur on both
session owner and proxy user
Ankur Gupta created LIVY-591:
--------------------------------
Summary: ACLs enforcement should occur on both session owner and proxy user
Key: LIVY-591
URL: https://issues.apache.org/jira/browse/LIVY-591
Project: Livy
Issue Type: Improvement
Components: Server
Affects Versions: 0.5.0, 0.4.0
Reporter: Ankur Gupta
Currently ACLs enforcement occurs only on session owner. So, a request is authorized if the request user is same as session owner or has correct ACLs configured.
Eg: https://github.com/apache/incubator-livy/blob/master/server/src/main/scala/org/apache/livy/server/interactive/InteractiveSessionServlet.scala#L70
In case of impersonation, proxy user is checked against session owner, instead he should be checked against session proxy. Otherwise, a proxy user who created the session will not be able to submit statements against it, if ACLs are not configured correctly.
Additionally, it seems there is no auth-check right now while creating a session. We should add that check as well (against modify-session acls).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)