Configuring Spark Web UI ACLs
Scenario
Users need to implement security protection for Spark2x web UI when some data on the UI cannot be viewed by other users. Once a user attempts to log in to the UI, Spark2x can check the view ACL of the user to determine whether to allow the access.
Spark2x has two types of web UI. One is for running tasks. You can access the web UI using the application link on the native Yarn page or the REST APIs. The other one is for ended tasks. You can access the web UI using the Spark2x JobHistory service or the REST APIs.
This section applies only to clusters in security mode (with Kerberos authentication enabled).
- Configuring the ACL of the web UI for running tasks
For a running task, you can set the following parameters on the server:
- spark.admin.acls: specifies the web UI administrator list.
- spark.admin.acls.groups: specifies the administrator group list.
- spark.ui.view.acls: specifies the Yarn page visitor list.
- spark.modify.acls.groups: specifies the Yarn page visitor group list.
- spark.modify.acls: specifies the web UI modifier list.
- spark.ui.view.acls.groups: specifies the web UI modifier group list.
- Configuring the ACL of the web UI for ended tasks
For ended tasks, use client parameter spark.history.ui.acls.enable to enable or disable the ACL access permission.
If ACL control is enabled, configure client parameters spark.admin.acls and spark.admin.acls.groups to specify the web UI administrator list and administrator group list. Use client parameters spark.ui.view.acls and spark.modify.acls.groups to specify the visitor list and visitor group list that view web UI task details. Use client parameters spark.modify.acls and spark.ui.view.acls.groups to specify the visitor list and group list that modify web UI task details.
Configuration
Log in to FusionInsight Manager and choose Cluster > Services > Spark2x. Click Configurations, click All Configurations, search for acl, and modify the following parameters on the JobHistory, JDBCServer, SparkResource, and Spark pages:
Parameter |
Description |
Default Value |
---|---|---|
spark.history.ui.acls.enable |
Indicates whether JobHistory supports the permission verification of a single task. |
true |
spark.acls.enable |
Indicates whether to enable Spark permission management. If this function is enabled, the system checks whether the user has the permission to access and modify task information. |
true |
spark.admin.acls |
Indicates the list of Spark administrators who have the authority to manage all Spark tasks. You can configure multiple administrators and differentiate them by using commas (,) to separate them. |
admin |
spark.admin.acls.groups |
Indicates the list of Spark administrator groups that have the authority to manage all Spark tasks. You can configure multiple administrators and differentiate them by using commas (,) to separate them. |
- |
spark.modify.acls |
Indicates the list of members who have the permission to modify Spark tasks. By default, the user who starts a task has the permission to modify the task. You can configure multiple users and separate them from each other using commas (,). |
- |
spark.modify.acls.groups |
Indicates the list of groups that have the permission to modify Spark tasks. You can configure multiple groups and separate them from each other using commas (,). |
- |
spark.ui.view.acls |
Indicates the list of members that have the permission to access Spark tasks. By default, the user who starts a task has the permission to modify the task. You can configure multiple users and separate them from each other using commas (,). |
- |
spark.ui.view.acls.groups |
Indicates the list of groups that have the permission to access Spark tasks. You can configure multiple groups and separate them from each other using commas (,). |
- |
If you use a client to submit tasks, you must download the client again after modifying the spark.admin.acls, spark.admin.acls.groups, spark.modify.acls, spark.modify.acls.groups, spark.ui.view.acls, and spark.ui.view.acls.groups parameters.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot