You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@livy.apache.org by "Kaidi Zhao (Jira)" <ji...@apache.org> on 2021/02/22 18:08:00 UTC

[jira] [Created] (LIVY-833) Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)

Kaidi Zhao created LIVY-833:
-------------------------------

             Summary: Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)
                 Key: LIVY-833
                 URL: https://issues.apache.org/jira/browse/LIVY-833
             Project: Livy
          Issue Type: Bug
          Components: Server
    Affects Versions: 0.7.0
            Reporter: Kaidi Zhao


It looks like a regular user (client) of Livy, can use commands like: 

spark.sparkContext.getConf().getAll()

The command will retry all spark configurations including those passwords (such as spark.ssl.trustStorePassword, spark.ssl.keyPassword). 

I would suggest to block / mask these password. 

PS, Spark's UI fixed this issue in this https://issues.apache.org/jira/browse/SPARK-16796



--
This message was sent by Atlassian Jira
(v8.3.4#803005)