We are trying to build a setup where we have a server that submits
jobs of different users to the Livy server via the REST API. We
established a kerberos server to authenticate against livy. But we want
to prohibit the users to access a different users' data, the
filesystem, and the network.
My question would then be, how secure is livy? Users can inject
custom code to run on livy, but this gives them the ability to access
the filesystem on the host the livy server resides in. Even if we run
livy with a different unix user, that has very little permissions on the
filesystem, that could be potentially dangerous from my point of view,
they could potentially access the keytab on the livy server also. And
they could also potentially inject malware and run it.
I know that the session created creates also a JVM, so one session
lives in a JVM, and it is impossible to see another session's data etc.
without having the kerberos ticket, but could I change the security
settings of that JVM to only access specific paths and specific IP
addresses only? Would that mean for me to change the source code of
And in the case of using HDFS with active directory to secure the
datasystem, so that users need to specify a kerberos key to access their
files, how could I manage multiple principals in one server, to get
My conf file is as below:
livy.server.access_control.enabled = true
livy.server.access_control.users = livy
PS: Does enabling launch.kerberos provide additional security to protect the keytab?
Any help to any of the questions is very much appriciated,
Thanks in forehand