You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@livy.apache.org by "Ankur Gupta (JIRA)" <ji...@apache.org> on 2019/04/24 17:33:00 UTC

[jira] [Created] (LIVY-591) ACLs enforcement should occur on both session owner and proxy user

Ankur Gupta created LIVY-591:
--------------------------------

             Summary: ACLs enforcement should occur on both session owner and proxy user
                 Key: LIVY-591
                 URL: https://issues.apache.org/jira/browse/LIVY-591
             Project: Livy
          Issue Type: Improvement
          Components: Server
    Affects Versions: 0.5.0, 0.4.0
            Reporter: Ankur Gupta


Currently ACLs enforcement occurs only on session owner. So, a request is authorized if the request user is same as session owner or has correct ACLs configured.

Eg: https://github.com/apache/incubator-livy/blob/master/server/src/main/scala/org/apache/livy/server/interactive/InteractiveSessionServlet.scala#L70

In case of impersonation, proxy user is checked against session owner, instead he should be checked against session proxy. Otherwise, a proxy user who created the session will not be able to submit statements against it, if ACLs are not configured correctly.

Additionally, it seems there is no auth-check right now while creating a session. We should add that check as well (against modify-session acls).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)