[jira] [Commented] (SPARK-24510) Spark WebUI filters use Basic Authentication [security]

Mon, 11 Jun 2018 05:50:07 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-24510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16507976#comment-16507976
 ] 

Marco Gaido commented on SPARK-24510:
-------------------------------------

I am not sure this is a real issue. You can configure many authentication 
mechanisms using spark.ui.filters (eg. Kerberos authentication).

> Spark WebUI filters use Basic Authentication [security]
> -------------------------------------------------------
>
>                 Key: SPARK-24510
>                 URL: https://issues.apache.org/jira/browse/SPARK-24510
>             Project: Spark
>          Issue Type: Improvement
>          Components: Web UI
>    Affects Versions: 2.3.0
>            Reporter: t oo
>            Priority: Major
>              Labels: security
>
> *Risk/Issue summary finding*
> {code:java}
> Basic Authentication in Use{code}
> *Risk/Issue summary description/detail*
> {code:java}
> The only authentication method used by Spark web portals is basic HTTP 
> authentication. In basic HTTP authentication, passwords are encoded using the 
> Base64 encoding scheme, before being transmitted over the network. Note that 
> the web services communications were over HTTPS and as such the 
> communications between supplicant and service would be encrypted, reducing 
> the risk of this issue.{code}
> *Business impact / attack scenario*
> {code:java}
> An attacker given a reasonable time frame may be able to successfully perform 
> a brute-force attack on the credentials, and successfully authenticate to the 
> web service. The time frame for such an attack would also be significantly 
> reduced if common username and passwords are used, such as "Administrator" 
> and "password". Additionally, basic authentication credentials are sent with 
> every request and may be cached by the web browser. {code}
> *Recommendation*
> {code:java}
> By itself, basic authentication is not considered secure. Other, more secure, 
> authentication methods are offered by web servers and application frameworks 
> and should be considered.{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to