Ankur Gupta created LIVY-591:
--------------------------------
Summary: ACLs enforcement should occur on both session owner and
proxy user
Key: LIVY-591
URL: https://issues.apache.org/jira/browse/LIVY-591
Project: Livy
Issue Type: Improvement
Components: Server
Affects Versions: 0.5.0, 0.4.0
Reporter: Ankur Gupta
Currently ACLs enforcement occurs only on session owner. So, a request is
authorized if the request user is same as session owner or has correct ACLs
configured.
Eg:
https://github.com/apache/incubator-livy/blob/master/server/src/main/scala/org/apache/livy/server/interactive/InteractiveSessionServlet.scala#L70
In case of impersonation, proxy user is checked against session owner, instead
he should be checked against session proxy. Otherwise, a proxy user who created
the session will not be able to submit statements against it, if ACLs are not
configured correctly.
Additionally, it seems there is no auth-check right now while creating a
session. We should add that check as well (against modify-session acls).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
