[jira] [Commented] (SPARK-23782) SHS should not show applications to user without read permission

Sat, 24 Mar 2018 15:26:19 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-23782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16412820#comment-16412820
 ] 

Marcelo Vanzin commented on SPARK-23782:
----------------------------------------

bq. The users can see which applications have been run by each users...

Sorry but I don't consider any of the things you mentioned sensitive. They 
basically boil down to: there are other users in the system, and they can run 
applications.

The consequences of this feature for the usability of the SHS (different users 
see different things) is a lot worse. I'm still against it unless you can make 
a very good case for it, which I haven't seen yet.

> SHS should not show applications to user without read permission
> ----------------------------------------------------------------
>
>                 Key: SPARK-23782
>                 URL: https://issues.apache.org/jira/browse/SPARK-23782
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> The History Server shows all the applications to all the users, even though 
> they have no permission to read them. They cannot read the details of the 
> applications they cannot access, but still anybody can list all the 
> applications submitted by all users.
> For instance, if we have an admin user {{admin}} and two normal users {{u1}} 
> and {{u2}}, and each of them submitted one application, all of them can see 
> in the main page of SHS:
> ||App ID||App Name|| ... ||Spark User|| ... ||
> |app-123456789|The Admin App| .. |admin| ... |
> |app-123456790|u1 secret app| .. |u1| ... |
> |app-123456791|u2 secret app| .. |u2| ... |
> Then clicking on each application, the proper permissions are applied and 
> each user can see only the applications he has the read permission for.
> Instead, each user should see only the applications he has the permission to 
> read and he/she should not be able to see applications he has not the 
> permissions for.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to