Hamid Mushtaq created ZEPPELIN-4151:
---------------------------------------
Summary: A user can see configurations and notebooks despite shiro
authentication
Key: ZEPPELIN-4151
URL: https://issues.apache.org/jira/browse/ZEPPELIN-4151
Project: Zeppelin
Issue Type: Bug
Components: GUI, Interpreters
Affects Versions: 0.8.1
Environment: Linux
Reporter: Hamid Mushtaq
Fix For: 0.9.0, 0.8.2
Without user impersonification (which is impossible with %spark anyway), a user
can just write a simple script to see any file in the Zeppelin folder,
including shiro.ini or any notes. So, the users and passwords in shiro become
pretty meaningless. Can't zeppelin just disallow such peeking?
For example, I can just execute the following in a note to get what is inside
the shiro.ini file.
{code:java}
import scala.sys.process._
"cat conf/shiro.ini".!!
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
