[DOCS][SPARK-674] Documented user access to Spark Dispatcher instance…

… secrets. (apache#280)

docs/limitations.md

@@ -21,7 +21,11 @@ featureMaturity:
 *   With Spark SSL/TLS enabled, if you specify environment-based secrets with
     `spark.mesos.[driver|executor].secret.envkeys, the keystore and truststore secrets will also show up as
     environment-based secrets, due to the way secrets are implemented. You can ignore these extra environment variables.
-
+
+*   Anyone who has access to the Spark (Dispatcher) service instance has access to all secrets available to it. Do not
+    grant users access to the Spark Dispatcher instance unless they are also permitted to access all secrets available
+    to the Spark Dispatcher instance.
+
 *   When using Kerberos and HDFS, the Spark Driver generates delegation tokens and distributes them to it's Executors
     via RPC.  Authentication of the Executors with the Driver is done with a [shared
     secret][https://spark.apache.org/docs/latest/security.html#spark-security]. Without authentication, it is possible

docs/security.md

@@ -29,6 +29,11 @@ that matches the name of the Spark service (e.g. `spark/secret`).  See the [Secr
 Documentation about Spaces][13] for details about how secret paths restrict
 service access to secrets.
 
+### Limitations
+Anyone who has access to the Spark (Dispatcher) service instance has access to all secrets available to it. Do not
+grant users access to the Spark Dispatchers instance unless they are also permitted to access all secrets available
+to the Spark Dispatcher instance.
+
 ### Binary Secrets
 
 When you need to store binary files into DC/OS secrets store, for example a Kerberos keytab file, your file needs to be base64-encoded as specified in RFC 4648.