[jira] [Comment Edited] (SPARK-23782) SHS should not show applications to user without read permission

Fri, 23 Mar 2018 11:24:56 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-23782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16411843#comment-16411843
 ] 

Marcelo Vanzin edited comment on SPARK-23782 at 3/23/18 6:23 PM:
-----------------------------------------------------------------

bq. This seems a security hole to me

What sensitive information is being exposed to users that should not see it?

Won't you get that same info if you go to the resource manager's page and look 
at what applications have run?


was (Author: vanzin):
bq. This seems a security hole to me

What sensitive information if being exposed to users that should not see it?

Won't you get that same info if you go to the resource manager's page and look 
at what applications have run?

> SHS should not show applications to user without read permission
> ----------------------------------------------------------------
>
>                 Key: SPARK-23782
>                 URL: https://issues.apache.org/jira/browse/SPARK-23782
>             Project: Spark
>          Issue Type: Bug
>          Components: Web UI
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> The History Server shows all the applications to all the users, even though 
> they have no permission to read them. They cannot read the details of the 
> applications they cannot access, but still anybody can list all the 
> applications submitted by all users.
> For instance, if we have an admin user {{admin}} and two normal users {{u1}} 
> and {{u2}}, and each of them submitted one application, all of them can see 
> in the main page of SHS:
> ||App ID||App Name|| ... ||Spark User|| ... ||
> |app-123456789|The Admin App| .. |admin| ... |
> |app-123456790|u1 secret app| .. |u1| ... |
> |app-123456791|u2 secret app| .. |u2| ... |
> Then clicking on each application, the proper permissions are applied and 
> each user can see only the applications he has the read permission for.
> Instead, each user should see only the applications he has the permission to 
> read and he/she should not be able to see applications he has not the 
> permissions for.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to