You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@livy.apache.org by "Kaidi Zhao (Jira)" <ji...@apache.org> on 2021/02/22 18:08:00 UTC
[jira] [Created] (LIVY-833) Livy allows users to see password in
config files
(spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword,
etc)
Kaidi Zhao created LIVY-833:
-------------------------------
Summary: Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)
Key: LIVY-833
URL: https://issues.apache.org/jira/browse/LIVY-833
Project: Livy
Issue Type: Bug
Components: Server
Affects Versions: 0.7.0
Reporter: Kaidi Zhao
It looks like a regular user (client) of Livy, can use commands like:
spark.sparkContext.getConf().getAll()
The command will retry all spark configurations including those passwords (such as spark.ssl.trustStorePassword, spark.ssl.keyPassword).
I would suggest to block / mask these password.
PS, Spark's UI fixed this issue in this https://issues.apache.org/jira/browse/SPARK-16796
--
This message was sent by Atlassian Jira
(v8.3.4#803005)