[ https://issues.apache.org/jira/browse/SPARK-23782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16412820#comment-16412820 ]
Marcelo Vanzin commented on SPARK-23782: ---------------------------------------- bq. The users can see which applications have been run by each users... Sorry but I don't consider any of the things you mentioned sensitive. They basically boil down to: there are other users in the system, and they can run applications. The consequences of this feature for the usability of the SHS (different users see different things) is a lot worse. I'm still against it unless you can make a very good case for it, which I haven't seen yet. > SHS should not show applications to user without read permission > ---------------------------------------------------------------- > > Key: SPARK-23782 > URL: https://issues.apache.org/jira/browse/SPARK-23782 > Project: Spark > Issue Type: Bug > Components: Web UI > Affects Versions: 2.4.0 > Reporter: Marco Gaido > Priority: Major > > The History Server shows all the applications to all the users, even though > they have no permission to read them. They cannot read the details of the > applications they cannot access, but still anybody can list all the > applications submitted by all users. > For instance, if we have an admin user {{admin}} and two normal users {{u1}} > and {{u2}}, and each of them submitted one application, all of them can see > in the main page of SHS: > ||App ID||App Name|| ... ||Spark User|| ... || > |app-123456789|The Admin App| .. |admin| ... | > |app-123456790|u1 secret app| .. |u1| ... | > |app-123456791|u2 secret app| .. |u2| ... | > Then clicking on each application, the proper permissions are applied and > each user can see only the applications he has the read permission for. > Instead, each user should see only the applications he has the permission to > read and he/she should not be able to see applications he has not the > permissions for. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org