livy-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harsch, Tim" <Tim.Har...@Teradata.com>
Subject Re: Security Questions
Date Thu, 02 Aug 2018 15:08:47 GMT
Hi Harun,

   Probably the best feature that is going to help you with Livy is controlling the bind interface.
 By default it is set to 0.0.0.0.  If you set it to 127.0.0.1 then only apps calling livy
by that IP will be allowed in.    This will put much of the onus of protecting access to the
host on your application and then will it be up to you to figure out how to safeguard it from
injection.  This together with kerberos, should give you only one user on one host that can
access Livy and then code injection becomes your next concern.

# What host address to start the server on. By default, Livy will bind to all network interfaces.
# livy.server.host = 0.0.0.0

Livy also supports user impersonation, and I experimented with that some time back but had
difficulty getting it working, perhaps you will have better luck.  See my previous post on
the topic in this forum.


Thanks,

Tim

________________________________
From: Harun Zengin <harun.reich@gmail.com>
Sent: Thursday, August 2, 2018 1:30:07 AM
To: user@livy.incubator.apache.org
Subject: Security Questions

[External Email]
________________________________

Hi,
we are trying to build a setup where we have a server that submits jobs
of different users to the Livy server via the REST API. We established a
kerberos server to authenticate against livy, with one superuser that
makes the requests in behalf of the users. But we want to prohibit
the users to access a different users' data, the filesystem, and the
network.

My question would then be, how secure is livy? Users can inject custom
code to run on livy, but this gives them the ability to access the
filesystem on the host the livy server resides in. Even if we run livy
with a different unix user, that has very little permissions on the
filesystem, that could be potentially dangerous from my point of view,
they could potentially access the keytab on the livy server also. And
they could also potentially inject malware and run it.

I know that the session created creates also a JVM, so one session lives
in a JVM, and it is impossible to see another session without having the
kerberos ticket, but could I change the security settings of that JVM to
only access specific paths and specific IP addresses only? Would that
mean for me to change the source code of livy?

And in the case of using HDFS with active directory to secure the
datasystem, so that users need to specify a kerberos key to access their
files, how could I manage multiple principals in one server, to get this
working?

Any help to any of the questions is very much appriciated,

Thanks in forehand,


Harun


Mime
View raw message