Hello dev@spark,

Every now and then we get a 'security report' for Spark where the reporter
is shocked that 'spark', an 'engine for executing', allows users to execute
things. The latest in this category was
https://huntr.com/bounties/cc436d0b-e5d7-4394-9cff-0d4b1809a3f8.

You already have a pretty great
https://spark.apache.org/docs/latest/security.html, but it might be good to
add a basic introduction to make explicit that users who are authorized to
execute can indeed execute code? I'm of course no Spark expert and you can
likely more clearly describe the security boundaries here. You could take
inspiration from https://flink.apache.org/what-is-flink/security/ or other
pages linked from https://security.apache.org/projects/


Kind regards,

-- 
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant

Reply via email to