Here is the current status of Livy's ACLs:
1. Livy has ACLs, which is controlled by livy.server.access-control.enabled, if it is set to true, then only the allowed users (users configured in livy.server.access-control.users) can submit any REST requests. For example, if ACLs is enabled, and user "A", "B" and "C" are the allowed users, then user "A", "B" and "C" could create sessions, submit statements and others. But user "D" (which is not in the allowed list) cannot submit any REST queries, all of them will be responded with 403.
2. For the existing sessions (sessions already created), only the user who created this session or livy super user (livy.superusers) could access this session, including submitting statements, querying results. For example, if session "1" is created by user "A", then only user "A" and livy superuser could access this session. other user cannot POST or GET anything.
This is the current status of Livy's ACLs, I think it has basic functionalities of ACLs (access control), but it lacks fine-grained controls, like admin/modify/view users in Spark.
So I think it would be better to improve the current Livy's ACLs to have fine-grained controls like Spark.