Details
-
Type:
Task
-
Status: Resolved
-
Priority:
Major
-
Resolution: Works for Me
-
Affects Version/s: 0.3
-
Fix Version/s: None
-
Component/s: Core
-
Labels:None
Description
Dev,
Livy session or batches are not currently secured. i.e. User A can start a session or batch and User B can submit code to session started by User A or even stop that session. This is critical issue on secured cluster, when User A is having sensitive data access, there may be a chance User B can access those sensitive datasets through User-A Session.
Here, is an example from our secured cluster.
- Starting session from user "prabhu"
curl --silent --negotiate -u:prabhu localhost:8998/sessions -X POST -H 'Content-Type: application/json' -d '
{ "kind":"scala", "proxyUser":"prabhu", "name":"Testing" }' | python -m json.tool
{
"id": 371,
"appId": null,
"owner": "prabhu",
"proxyUser": "prabhu",
"state": "starting",
"kind": "spark",
"appInfo":
,
"log": []
}
- Executing code to above session by some other user "don"
curl --silent --negotiate -u:don localhost:8998/sessions/371/statements -X POST -H 'Content-Type: application/json' -d '
{ "code":"sc.applicationId" }' | python -m json.tool
{
"id": 0,
"state": "available",
"output": {
"status": "ok",
"execution_count": 0,
"data":
}
}
- Stopping above session by different user "john" this time
curl --silent --negotiate -u:john localhost:8998/sessions/371 -X DELETE | python -m json.tool
{ "msg": "deleted" }