cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Help
Community Discussions
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Databrick Dashboard state not cleared when login as other user.

Koa
New Contributor

3 weeks ago

Hi all, I am using Databricks and created a notebook and would like to run in Dashboard. It works correctly. 

I share the Dashboard with another user UserA with "Can Run" permission  When I login as a UserA and login and accesses Dashboard then does an update by clicking the "Update" button. I noticed that the if I run it in UserA, it will update the Dashboard on my screen.

 

Now the issue is, in the notebook, we do a login to obtain JWT Token and save it in a variable. If I run it as UserA, it will be saved in the state of the notebook, hence, expose a security issue since Databrick does not clear the state whenever a user accesses the dashboard. Any help?

0 Kudos
1 REPLY 1

Kaniz
Community Manager
Community Manager

3 weeks ago

Hi @Koa, Youโ€™ve encountered a security concern related to Databricks and handling JWT tokens within notebooks. 

  1. Dashboard State Persistence:

    • When you share a dashboard with another user (in this case, UserA), any updates made by that user will reflect on your screen as well. This behaviour is unexpected and could potentially lead to security vulnerabilities.
    • The persistence of state across different usersโ€™ interactions with the dashboard is indeed a concern.

  2. JWT Token Handling:

    • In your notebook, you obtain a JWT token (used for authentication) and save it in a variable.
    • When UserA runs the notebook, the token remains in the notebookโ€™s state, even after they access the dashboard. This poses a security risk because the token could be misused if it falls into the wrong hands.

  3. Potential Solutions:

    • Here are some steps you can take to mitigate this issue:
      • Clear State: After the notebook runs, explicitly clear the state or variables containing sensitive information (such as the JWT token). You can do this programmatically within the notebook.
      • Token Rotation: Consider rotating the JWT token periodically. This ensures that even if itโ€™s accidentally exposed, its validity is limited.
      • Secret Scopes: Utilize secret scopes in Databricks to securely manage secrets (including tokens). Secret scopes allow you to store and retrieve sensitive information without exposing it directly in ...1.
      • Access Control: Review the permissions and access controls for the dashboard. Ensure that only authorized users have the necessary privileges.
0 Kudos
Announcements