Loophole in H2O authentication with Sparkling water

Description

We noticed that when authentication is required
(with `-hash_login` for h2o backend/external cluster),
and users connecting to it from Sparkling Water,
then using SW endpoint they can login without username/password.

Seems to be a security loophole in authentication.

We would expect if authentication is enabled, all connections have to be authenticated,
not just ones that are going directly to h2o,

Activity

Show:
Jakub Hava
February 25, 2020, 10:07 PM

In Sparkling water 3.28.1.5 this is fixed on external backend by running it with the option spark.ext.h2o.rest.api.based.client=true for Python apps

Fixed

Assignee

Marek Novotny

Reporter

Ruslan Dautkhanov

Labels

None

CustomerVisible

No

testcase 1

None

testcase 2

None

testcase 3

None

h2ostream link

None

Affected Spark version

None

AffectedContact

None

AffectedCustomers

None

AffectedPilots

None

AffectedOpenSource

None

Support Assessment

None

Customer Request Type

None

Support ticket URL

None

End date

None

Baseline start date

None

Baseline end date

None

Task progress

None

Task mode

None

ReleaseNotesHidden

None

Fix versions

Affects versions

Priority

Major
Configure