Configuring Spark Web UI ACLs

Scenarios

Access Control Lists (ACLs) are a foundational security mechanism used to regulate access to resources. They define which users or user groups can access a resource. Using ACLs is an effective way to restrict users' access to application history and protect sensitive data.

If the Spark web UI displays sensitive data, you may need to implement ACL-based security controls to restrict unauthorized access. When a user attempts to access the Spark web UI, Spark checks the user's view ACL to determine whether access should be allowed.

Spark provides two types of web UI, each serving a different purpose. One is for running tasks, accessible via the application link on the native YARN page or through corresponding REST APIs. The other is for completed tasks, which can be viewed using the Spark JobHistory service or corresponding REST APIs.

• Configuring the ACL of the web UI for running tasks

  For a running task, you can set the following parameters on the server:

  • spark.admin.acls: specifies the web UI administrator list.
  • spark.admin.acls.groups: specifies the administrator group list.
  • spark.ui.view.acls: specifies the Yarn page visitor list.
  • spark.modify.acls.groups: specifies the Yarn page visitor group list.
  • spark.modify.acls: specifies the web UI modifier list.
  • spark.ui.view.acls.groups: specifies the web UI modifier group list.

• Configuring the ACL of the web UI for ended tasks

  For ended tasks, use client parameter spark.history.ui.acls.enable to enable or disable the ACL access permission.

  If ACL control is enabled, configure client parameters spark.admin.acls and spark.admin.acls.groups to specify the web UI administrator list and administrator group list. Use client parameters spark.ui.view.acls and spark.modify.acls.groups to specify the visitor list and visitor group list that view web UI task details. Use client parameters spark.modify.acls and spark.ui.view.acls.groups to specify the visitor list and group list that modify web UI task details.

Notes and Constraints

This section applies only to clusters in security mode (with Kerberos authentication enabled).

Configuration

1. Log in to FusionInsight Manager.

   For details, see Accessing FusionInsight Manager.

2. Choose Cluster > Services > Spark2x or Spark, click Configurations and then All Configurations, and search for the following parameters and adjust their values.

   Table 1 Parameter description

   Parameter	Description	Example Value
   spark.history.ui.acls.enable	Indicates whether JobHistory supports the permission verification of a single task. true: ACLs are enabled. Only authorized users can view Spark applications. false: ACLs are disabled. All users can view Spark applications, which may cause security risks. Therefore, exercise caution when using this value.	true
   spark.acls.enable	Indicates whether to enable Spark permission management. If this function is enabled, the system checks whether the user has the permission to access and modify task information. true: Spark task permission management is enabled. Only authorized users can view and operate applications. false: Spark task permission management is disabled. All users have the permission to access and modify applications. Exercise caution when using this value.	true
   spark.admin.acls	Indicates the list of Spark administrators who have the authority to manage all Spark tasks. You can configure multiple administrators and differentiate them by using commas (,) to separate them.	admin
   spark.admin.acls.groups	Indicates the list of Spark administrator groups that have the authority to manage all Spark tasks. You can configure multiple administrators and differentiate them by using commas (,) to separate them.	-
   spark.modify.acls	Indicates the list of members who have the permission to modify Spark tasks. By default, the user who starts a task has the permission to modify the task. You can configure multiple users and separate them from each other using commas (,).	-
   spark.modify.acls.groups	Indicates the list of groups that have the permission to modify Spark tasks. You can configure multiple groups and separate them from each other using commas (,).	-
   spark.ui.view.acls	Indicates the list of members that have the permission to access Spark tasks. By default, the user who starts a task has the permission to modify the task. You can configure multiple users and separate them from each other using commas (,).	-
   spark.ui.view.acls.groups	Indicates the list of groups that have the permission to access Spark tasks. You can configure multiple groups and separate them from each other using commas (,).	yarnviewgroup

3. After the parameter settings are modified, click Save, perform operations as prompted, and wait until the settings are saved successfully.
4. After the Spark server configurations are updated, if Configure Status is Expired, restart the component for the configurations to take effect.
   Figure 1 Modifying Spark configurations
   

   On the Spark dashboard page, choose More > Restart Service or Service Rolling Restart, enter the administrator password, and wait until the service restarts.

   If you use the Spark client to submit tasks, you need to download the client again for the configurations to take effect after the cluster parameters spark.admin.acls, spark.admin.acls.groups, spark.modify.acls, spark.modify.acls.groups, spark.ui.view.acls, and spark.ui.view.acls.groups are modified. For details, see Using an MRS Client.

   

   Components are unavailable during the restart, affecting upper-layer services in the cluster. To minimize the impact, perform this operation during off-peak hours or after confirming that the operation does not have adverse impact.