Github user jerryshao commented on the issue:
https://github.com/apache/spark/pull/17582
@tgravescs sorry for the confuse.
>if base URL's ACL (spark.acls.enable) is enabled but user A has no view
permission. User "A" cannot see the app list but could still access details of
it's own app.
Here actually has two list of acls, one is controlled by
`spark.acls.enabled`, if user "A" is not added to this acl list, then user "A"
cannot see the app list (`/<history-server-url>/api/v1/applications`). But if
this app is run by user "A", then user "A" could still see the details of app,
like (`/<history-server-url>/api/v1/applications/<app-id>/jobs`), this acl is
controlled by "spark.history.ui.acls.enabled", and user "A" is automatically in
the acl list (because of run by him).
> if ACLs of base URL (spark.acls.enable) is disabled. Then user "A" could
see the summary of all the apps, even some apps didn't run by user "A", but can
only access its own app's details.
If "spark.acls.enabled" is disabled, then `SecurityFilter` is not worked,
so user "A" could access `/<history-server-url>/api/v1/applications`, which
means user "A" could see all the applications even not run by him.
This `/<history-server-url>/api/v1/applications` doesn't touch
`spark.history.ui.acls.enabled`.
> if ACLs of base URL (spark.acls.enable) is disabled, then user "A" could
download any application's event log, even it is not run by user "A".
This is the same issue as above.
`/<history-server-url>/api/v1/applications/<app-id>/logs` is only controlled by
"spark.acls.enable", not "spark.history.ui.acls.enable". So anyone could
download any even logs if "spark.acls.enable" is disabled.
So basically what I fixed is that:
1. disable the work of `spark.acls.enable`, which means `SecurityFilter` is
not checked.
2. Using `spark.history.ui.acls.enable` to filter applications, application
summary and application log based on users who run the app.
So the result of my PR is:
1. history admin user could see/download/access any apps.
2. normal user could see/download/access apps run by him.
@vanzin your suggestion is to only disable ACLs on the listing, that
definitely simplifies the fix, but IMO that "all or nothing" solution is not so
ideal:
1. any user could list all the apps, though cannot access the details if it
is not run by him. For the sensitivity, is it better to even not show the apps
not run by him?
2. currently if ACLs on listing is disabled, anyone could download event
log, which on the other hand expose the security hole to other users.
So IMO filtering based on users is better than "all or nothing" solution.
Also it doesn't increase the code complex much.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
