Copy link to issue

summary

Loophole in H2O authentication with Sparkling water

Description

We noticed that when authentication is required
(with `-hash_login` for h2o backend/external cluster),
and users connecting to it from Sparkling Water,
then using SW endpoint they can login without username/password.

Seems to be a security loophole in authentication.

We would expect if authentication is enabled, all connections have to be authenticated,
not just ones that are going directly to h2o,

Activity

Show:

Jakub Hava

February 25, 2020, 10:07 PM

Copy link to comment

In Sparkling water 3.28.1.5 this is fixed on external backend by running it with the option spark.ext.h2o.rest.api.based.client=true for Python apps

Fixed

Assignee

Marek Novotny

Reporter

Ruslan Dautkhanov

Labels

None

CustomerVisible

testcase 1

None

testcase 2

None

testcase 3

None

h2ostream link

None

Affected Spark version

None

AffectedContact

None

AffectedCustomers

None

AffectedPilots

None

AffectedOpenSource

None

Support Assessment

None

Customer Request Type

None

Support ticket URL

None

End date

None

Baseline start date

None

Baseline end date

None

Task progress

None

Task mode

None

ReleaseNotesHidden

None

Fix versions

3.28.1.1-1

Affects versions

2.3.24

Priority

Major

Configure

Sparkling Water Scrum

Loophole in H2O authentication with Sparkling water

Description

Activity

Assignee

Reporter

Labels

CustomerVisible

testcase 1

testcase 2

testcase 3

h2ostream link

Affected Spark version

AffectedContact

AffectedCustomers

AffectedPilots

AffectedOpenSource

Support Assessment

Customer Request Type

Support ticket URL

End date

Baseline start date

Baseline end date

Task progress

Task mode

ReleaseNotesHidden

Fix versions

Affects versions

Priority