[jira] [Commented] (SPARK-23782) SHS should not show applications to user without read permission

Fri, 23 Mar 2018 11:19:33 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-23782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16411836#comment-16411836
 ] 

Marco Gaido commented on SPARK-23782:
-------------------------------------

[~vanzin] sorry but I have not been able to find any JIRA related to this. 
Probably it is my fault and I just missed it.

Anyway, it sounds pretty weird to me that listing applications doesn't need to 
be filtered. This seems a security hole to me. I can't think of any reason/any 
tool which lets users to list things the user has no read permissions for.

> SHS should not show applications to user without read permission
> ----------------------------------------------------------------
>
>                 Key: SPARK-23782
>                 URL: https://issues.apache.org/jira/browse/SPARK-23782
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> The History Server shows all the applications to all the users, even though 
> they have no permission to read them. They cannot read the details of the 
> applications they cannot access, but still anybody can list all the 
> applications submitted by all users.
> For instance, if we have an admin user {{admin}} and two normal users {{u1}} 
> and {{u2}}, and each of them submitted one application, all of them can see 
> in the main page of SHS:
> ||App ID||App Name|| ... ||Spark User|| ... ||
> |app-123456789|The Admin App| .. |admin| ... |
> |app-123456790|u1 secret app| .. |u1| ... |
> |app-123456791|u2 secret app| .. |u2| ... |
> Then clicking on each application, the proper permissions are applied and 
> each user can see only the applications he has the read permission for.
> Instead, each user should see only the applications he has the permission to 
> read and he/she should not be able to see applications he has not the 
> permissions for.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to