Description
(This goes back further than 2.0.0, btw.)
The REST API currently only performs authorization at the root of the UI; this works for live UIs, but not for the history server, where the root allows everybody to read data. That means that currently any user can see any application in the SHS through the REST API, when auth is enabled.
Instead, the REST API should behave like the regular UI and perform authentication at the app level too.
Attachments
Attachments
Issue Links
- relates to
-
SPARK-19642 Improve the security guarantee for rest api and ui
- Closed
- links to