[
https://issues.apache.org/jira/browse/LIVY-591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ankur Gupta updated LIVY-591:
-----------------------------
Affects Version/s: (was: 0.5.0)
(was: 0.4.0)
0.6.0
> ACLs enforcement should occur on both session owner and proxy user
> ------------------------------------------------------------------
>
> Key: LIVY-591
> URL: https://issues.apache.org/jira/browse/LIVY-591
> Project: Livy
> Issue Type: Improvement
> Components: Server
> Affects Versions: 0.6.0
> Reporter: Ankur Gupta
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently ACLs enforcement occurs only on session owner. So, a request is
> authorized if the request user is same as session owner or has correct ACLs
> configured.
> Eg:
> https://github.com/apache/incubator-livy/blob/master/server/src/main/scala/org/apache/livy/server/interactive/InteractiveSessionServlet.scala#L70
> In case of impersonation, proxy user is checked against session owner,
> instead he should be checked against session proxy. Otherwise, a proxy user
> who created the session will not be able to submit statements against it, if
> ACLs are not configured correctly.
> Additionally, it seems there is no auth-check right now while creating a
> session. We should add that check as well (against modify-session acls).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
