Hello, As shared before[0], the ASF security team is concerned about the ability of the Zeppelin project to respond to security issues.
In the vast majority of Zeppelin deployments, either the network or Shiro needs to be configured to make sure only trusted users have access. Those users must be assumed/trusted to be able to view and manipulate each other's resources, as per the security model[1]. Zeppelin also supports Docker/K8s deployments where the running user code is isolated from the Zeppelin infrastructure. It seems the bottleneck in making security decisions is that it can be difficult to assess whether a potential issue in Zeppelin code could be used to bypass that isolation. For that reason, we propose to stop advertising this isolation as a security boundary. This means even in Docker/K8s deployments users are trusted, and can in theory view and manipulate each other's resources. The isolation can still be useful from an operational perspective, for example when you have one Zeppelin instance that is shared across multiple (trusted) teams. We'd like to gather feedback on whether this would be problematic for any significant Zeppelin deployments. If so, please reach out ASAP - but note we will ask you to play an active role in making security assessments for this use case. [0]: https://lists.apache.org/thread/c6zygxpg6woxttsxwojkt60vvs1f2njx [1]: https://zeppelin.apache.org/security.html -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
