Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4151

Any user can see configurations and notebooks despite shiro authentication

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.8.1
    • Fix Version/s: 0.9.0
    • Component/s: GUI, Interpreters
    • Labels:
    • Environment:

      Linux

    • Flags:
      Patch, Important

      Description

      Without user impersonification (which is impossible with %spark anyway), a user can just write a simple script to see any file in the Zeppelin folder, including shiro.ini or any notes. So, the users and passwords in shiro become pretty meaningless. Can't zeppelin just disallow such peeking?

      For example, any user can just execute the following in a note to get what is inside the shiro.ini file.

      import scala.sys.process._
      "cat conf/shiro.ini".!!
      

       I know that one can use livy.spark instead for proper user impersonification, but then you can't use ZeppelinContext variable z.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                metallicpriest Hamid Mushtaq
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Time Tracking

                  Estimated:
                  Original Estimate - 336h
                  336h
                  Remaining:
                  Remaining Estimate - 336h
                  336h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified