[jira] [Created] (LIVY-833) Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)

Kaidi Zhao (Jira) Mon, 22 Feb 2021 10:08:06 -0800

Kaidi Zhao created LIVY-833:
-------------------------------

             Summary: Livy allows users to see password in config files 
(spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, 
etc)
                 Key: LIVY-833
                 URL: https://issues.apache.org/jira/browse/LIVY-833
             Project: Livy
          Issue Type: Bug
          Components: Server
    Affects Versions: 0.7.0
            Reporter: Kaidi Zhao



It looks like a regular user (client) of Livy, can use commands like: 

spark.sparkContext.getConf().getAll()

The command will retry all spark configurations including those passwords (such 
as spark.ssl.trustStorePassword, spark.ssl.keyPassword). 

I would suggest to block / mask these password. 

PS, Spark's UI fixed this issue in this 
https://issues.apache.org/jira/browse/SPARK-16796



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (LIVY-833) Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)

Reply via email to