Hi Harun, Probably the best feature that is going to help you with Livy is controlling the bind interface. By default it is set to 0.0.0.0. If you set it to 127.0.0.1 then only apps calling livy by that IP will be allowed in. This will put much of the onus of protecting access to the host on your application and then will it be up to you to figure out how to safeguard it from injection. This together with kerberos, should give you only one user on one host that can access Livy and then code injection becomes your next concern.
# What host address to start the server on. By default, Livy will bind to all network interfaces. # livy.server.host = 0.0.0.0 Livy also supports user impersonation, and I experimented with that some time back but had difficulty getting it working, perhaps you will have better luck. See my previous post on the topic in this forum. Thanks, Tim ________________________________ From: Harun Zengin <[email protected]> Sent: Thursday, August 2, 2018 1:30:07 AM To: [email protected] Subject: Security Questions [External Email] ________________________________ Hi, we are trying to build a setup where we have a server that submits jobs of different users to the Livy server via the REST API. We established a kerberos server to authenticate against livy, with one superuser that makes the requests in behalf of the users. But we want to prohibit the users to access a different users' data, the filesystem, and the network. My question would then be, how secure is livy? Users can inject custom code to run on livy, but this gives them the ability to access the filesystem on the host the livy server resides in. Even if we run livy with a different unix user, that has very little permissions on the filesystem, that could be potentially dangerous from my point of view, they could potentially access the keytab on the livy server also. And they could also potentially inject malware and run it. I know that the session created creates also a JVM, so one session lives in a JVM, and it is impossible to see another session without having the kerberos ticket, but could I change the security settings of that JVM to only access specific paths and specific IP addresses only? Would that mean for me to change the source code of livy? And in the case of using HDFS with active directory to secure the datasystem, so that users need to specify a kerberos key to access their files, how could I manage multiple principals in one server, to get this working? Any help to any of the questions is very much appriciated, Thanks in forehand, Harun
