Dmitry Zhukov created ZEPPELIN-1497: ---------------------------------------
Summary: %spark and %python interpreters are able to read credentials.json file Key: ZEPPELIN-1497 URL: https://issues.apache.org/jira/browse/ZEPPELIN-1497 Project: Zeppelin Issue Type: Bug Affects Versions: 0.6.1 Reporter: Dmitry Zhukov Currently DB credentials for all users are stored in a plain text file on disk. This file is readable by any interpreter capable of running arbitrary code with Zeppelin user privileges, e.g. %python or %spark. {code} %spark scala.io.Source.fromFile("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json").mkString {code} {noformat} res6: String = { "credentialsMap": { "anonymous": { "userCredentials": { "testdb": { "username": "user", "password": "pass" } } } } } {noformat} {code} %python open("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json", 'r').read() {code} {noformat} '{\n "credentialsMap": {\n "anonymous": {\n "userCredentials": {\n "testdb": {\n "username": "user",\n "password": "pass"\n }\n }\n }\n }\n}' {noformat} Basically if one has %python or %spark interpreters enabled it makes the whole credentials store useless and even dangerous. -- This message was sent by Atlassian JIRA (v6.3.4#6332)