GitHub user dhruve opened a pull request:
https://github.com/apache/spark/pull/12760
[SPARK-4224][Core, YARN]
## What changes were proposed in this pull request?
Currently only a list of users can be specified for view and modify acls.
This change enables a group of admins/devs/users to be provisioned for viewing
and modifying Spark jobs.
(Please fill in changes proposed in this fix)
Three new corresponding config entries have been added where the user can
specify the groups to be given access.
```
spark.admin.acls.groups
spark.modify.acls.groups
spark.ui.view.acls.groups
```
New config entries were added because specifying the users and groups
explicitly is a better and cleaner way compared to specifying them in the
existing config entry using a delimiter.
A generic trait has been introduced to provide the user to group mapping
which makes it pluggable to support a variety of mapping protocols - similar to
the one used in hadoop. A default unix shell based implementation has been
provided.
Custom user to group mapping protocol can be specified and configured by
the entry ```spark.user.groups.mapping```
## How was this patch tested?
We ran different spark jobs setting the config entries in combinations of
admin, modify and ui acls. For modify acls we tried killing the job stages from
the ui and using yarn commands. For view acls we tried accessing the UI tabs
and the logs. Headless accounts were used to launch these jobs and different
users tried to modify and view the jobs to ensure that the groups mapping
applied correctly.
Additional Unit tests have been added without modifying the existing ones.
These test for different ways of setting the acls through configuration and/or
API and validate the expected behavior.
(Please explain how this patch was tested. E.g. unit tests, integration
tests, manual tests)
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/dhruve/spark impr/SPARK-4224
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/12760.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #12760
----
commit 49900ae96983bf2c79d3a08e39f401bdfec20eb0
Author: Dhruve Ashar <[email protected]>
Date: 2016-04-26T17:57:28Z
Adds group acls support to security
commit 04438f695056eae28156563d20d3d103b943750e
Author: Dhruve Ashar <[email protected]>
Date: 2016-04-27T17:41:19Z
Restoring accidental changes. Doesn't affect group acls
commit df254e7395d282df309c09ebf5a5c45e96514408
Author: Dhruve Ashar <[email protected]>
Date: 2016-04-27T22:14:02Z
Updates view/modify checks for user. Adds DummyGroupsProvider to mock user
groups. Updates docs for the new config entries. Adds more description.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
