Hello dev@spark, Every now and then we get a 'security report' for Spark where the reporter is shocked that 'spark', an 'engine for executing', allows users to execute things. The latest in this category was https://huntr.com/bounties/cc436d0b-e5d7-4394-9cff-0d4b1809a3f8.
You already have a pretty great https://spark.apache.org/docs/latest/security.html, but it might be good to add a basic introduction to make explicit that users who are authorized to execute can indeed execute code? I'm of course no Spark expert and you can likely more clearly describe the security boundaries here. You could take inspiration from https://flink.apache.org/what-is-flink/security/ or other pages linked from https://security.apache.org/projects/ Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant