Configuring Spark Web UI ACLs
Scenario
Configure ACLs on the Spark web UI to protect your private data from being viewed by other users. Once a user attempts to log in to the UI, Spark can check the view ACL of the user to determine whether to allow the access.
Spark has two types of web UIs. One is for running tasks, which can be accessed through the application link on the native YARN page or the REST API. The other is for ended tasks, which can be accessed through the Spark JobHistory service or the REST API.
This section applies only to clusters in security mode (with Kerberos authentication enabled).
- Configuring the ACL of the web UI for running tasks
For a running task, you can set the following parameters on the server:
- spark.admin.acls: specifies the web UI administrator list.
- spark.admin.acls.groups: specifies the administrator group list.
- spark.ui.view.acls: specifies the Yarn page visitor list.
- spark.modify.acls.groups: specifies the Yarn page visitor group list.
- spark.modify.acls: specifies the web UI modifier list.
- spark.ui.view.acls.groups: specifies the web UI modifier group list.
- Configuring the ACL of the web UI for ended tasks
For ended tasks, use client parameter spark.history.ui.acls.enable to enable or disable the ACL access permission.
If ACL control is enabled, configure client parameters spark.admin.acls and spark.admin.acls.groups to specify the web UI administrator list and administrator group list. Use client parameters spark.ui.view.acls and spark.modify.acls.groups to specify the visitor list and visitor group list that view web UI task details. Use client parameters spark.modify.acls and spark.ui.view.acls.groups to specify the visitor list and group list that modify web UI task details.
Configuration
Log in to FusionInsight Manager and choose Cluster > Services > Spark. Click Configurations then All Configurations, search for acl, and modify the following parameters on the JobHistory, JDBCServer, SparkResource, and Spark pages:
Parameter |
Description |
Default Value |
---|---|---|
spark.history.ui.acls.enable |
Indicates whether JobHistory supports the permission verification of a single task. |
true |
spark.acls.enable |
Indicates whether to enable Spark permission management. If this function is enabled, the system checks whether the user has the permission to access and modify task information. |
true |
spark.admin.acls |
Indicates the list of Spark administrators. All members in the list have the rights to manage all Spark tasks. You can configure multiple administrators and separate them from each other using commas (,). |
admin |
spark.admin.acls.groups |
Indicates the list of Spark administrator groups. All groups in the list have the permission to manage all Spark tasks. You can configure multiple administrator groups and separate them from each other using commas (,). |
- |
spark.modify.acls |
Indicates the list of members that have the permission to modify Spark tasks. By default, the user who starts a task has the permission to modify the task. You can configure multiple users and separate them from each other using commas (,). |
- |
spark.modify.acls.groups |
Indicates the list of groups that have the permission to modify Spark tasks. You can configure multiple groups and separate them from each other using commas (,). |
- |
spark.ui.view.acls |
Indicates the list of members that have the permission to access Spark tasks. By default, the user who starts a task has the permission to modify the task. You can configure multiple users and separate them from each other using commas (,). |
- |
spark.ui.view.acls.groups |
Indicates the list of groups that have the permission to access Spark tasks. You can configure multiple groups and separate them from each other using commas (,). |
- |
If you use a client to submit tasks, you must download the client again after modifying the spark.admin.acls, spark.admin.acls.groups, spark.modify.acls, spark.modify.acls.groups, spark.ui.view.acls, and spark.ui.view.acls.groups parameters.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot