Presto: Presto WebUI - authorization (security)

Created on 18 Aug 2018  路  5Comments  路  Source: prestodb/presto

enable 2 roles (admin, user). Users in 'user' role can only see their queries on the WebUI whereas users in 'admin' role can see all queries on the WebUI. The reason for hiding other users queries is that they may have sensitive data: ie select * from persontbl where name = 'john smith' and address='123 smith st' + the UI reveals the count of rows returned by the query - thus allowing sensitive data to be revealed to other users.

picture tooptoop4
👍1

Most helpful comment

There should be hooks in SystemAccessControl (or a new interface created specifically for this purpose) allowing to filter/control access in the UI.
The roles (be it "admin", "user" or anything) would be up to the implementation of the interface.

picture findepi on 6 Sep 2018
👍2

All 5 comments

Also would be nice to have a config setting to disable WebUI altogether

tooptoop4 picture tooptoop4 on 5 Sep 2018
👍2

There should be hooks in SystemAccessControl (or a new interface created specifically for this purpose) allowing to filter/control access in the UI.
The roles (be it "admin", "user" or anything) would be up to the implementation of the interface.

findepi picture findepi on 6 Sep 2018
👍2

https://github.com/prestodb/presto/issues/13301

tooptoop4 picture tooptoop4 on 6 Dec 2019

Do we have any update how we can stop seeing each other quires from Presto-ui.
Because of this we have got couple of security incidents in our environments.

dipanjanmukherjee83 picture dipanjanmukherjee83 on 27 Feb 2020

@dipanjanmukherjee83 use prestosql

tooptoop4 picture tooptoop4 on 13 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xerial picture xerial  路  3Comments
tesseract2048 picture tesseract2048  路  3Comments
aandis picture aandis  路  4Comments
electrum picture electrum  路  4Comments
tomz picture tomz  路  3Comments