[jira] [Closed] (LIVY-833) Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)

Saisai Shao (Jira) Tue, 23 Feb 2021 17:40:05 -0800


     [ 
https://issues.apache.org/jira/browse/LIVY-833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Saisai Shao closed LIVY-833.
----------------------------
    Resolution: Won't Fix

> Livy allows users to see password in config files 
> (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword,
>  etc)
> --------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: LIVY-833
>                 URL: https://issues.apache.org/jira/browse/LIVY-833
>             Project: Livy
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.7.0
>            Reporter: Kaidi Zhao
>            Priority: Major
>              Labels: security
>
> It looks like a regular user (client) of Livy, can use commands like: 
> spark.sparkContext.getConf().getAll()
> The command will retry all spark configurations including those passwords 
> (such as spark.ssl.trustStorePassword, spark.ssl.keyPassword). 
> I would suggest to block / mask these password. 
> PS, Spark's UI fixed this issue in this 
> https://issues.apache.org/jira/browse/SPARK-16796



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (LIVY-833) Livy allows users to see password in config files (spark.ssl.keyPassword,spark.ssl.keyStorePassword,spark.ssl.trustStorePassword, etc)

Reply via email to