Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Elevated permissions required for general usage #24

Open
stuart-k-h opened this issue Feb 23, 2022 · 1 comment
Open

Elevated permissions required for general usage #24

stuart-k-h opened this issue Feb 23, 2022 · 1 comment
Assignees
@zaferbil

Comments

@stuart-k-h
Copy link

According to the custom commands section of the documentation a user requires either 'admin_all_objects' or 'list_storage_passwords' to use the add-on. From a security perspective neither permission is viable as the first provides a user with full admin privileges on the platform, while the second allows a user to see all stored passwords for apps/add-ons they have access to.

This requirement prevents this app being used in the majority of environments, and really needs to be rewritten to use proper access control that doesn't reveal credentials to non-admins. While an admin should be able to see (and change) the configuration of any defined cluster, a normal user should only have access to clusters that share the same role (i.e., databricks_cluster_xxxxxx), similar to the functionality that DB Connect provides.
@stuart-k-h
Copy link
Author

As a starting point (at the request of Serge) it would be worthwhile examining the Splunk Add-on Builder as it handles credential storage and proxy configuration etc.
https://splunkbase.splunk.com/app/2962/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zaferbil zaferbil

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zaferbil @stuart-k-h