Current SHS (Spark History Server) two different ACLs.
- ACL of base URL, it is controlled by "spark.acls.enabled" or "spark.ui.acls.enabled", and with this enabled, only user configured with "spark.admin.acls" (or group) or "spark.ui.view.acls" (or group), or the user who started SHS could list all the applications, otherwise none of them can be listed. This will also affect REST APIs which listing the summary of all apps and one app.
- Per application ACL. This is controlled by "spark.history.ui.acls.enabled". With this enabled only history admin user and user/group who ran this app can access the details of this app.
With this two ACLs, we may encounter several unexpected behaviors:
1. if base URL's ACL is enabled but user A has no view permission. User "A" cannot see the app list but could still access details of it's own app.
2. if ACLs of base URL is disabled. Then user "A" could see the summary of all the apps, even some didn't run by user "A", but cannot access the details.
3. history admin ACL has no permission to list all apps if this admin user is not added to base URL's ACL.
The unexpected behaviors is mainly because we have two different ACLs, ideally we should have only one to manage all.
So to improve SHS's ACL mechanism, we should:
- Unify two different ACLs into one, and always honor this one (both in base URL and app details).
- User could partially list and display apps which ran by him according to the ACLs in event log.