[
https://issues.apache.org/jira/browse/SPARK-38693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523685#comment-17523685
]
Brad Solomon edited comment on SPARK-38693 at 4/18/22 1:00 PM:
---------------------------------------------------------------
Another argument in favor of supporting is that Spark claims,
> Enabling authentication for the Web UIs is done using [javax servlet
> filters|https://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html]. You
> will need a filter that implements the authentication method you want to
> deploy.
This claim of support doesn't make caveats about the lack of use of
SessionManager. It simply states that authentication can be enabled through
javax servlet filters.Keycloak offers this through
[KeycloakOIDCFilter|#_servlet_filter_adapter],] but yet is not supported.
was (Author: JIRAUSER287274):
Another argument in favor of supporting is that Spark claims
> Enabling authentication for the Web UIs is done using [javax servlet
> filters|https://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html]. You
> will need a filter that implements the authentication method you want to
> deploy.
This claim of support doesn't make caveats about the lack of use of
SessionManager. It simply states that authentication can be enabled through
javax servlet filters.Keycloak offers this through
[KeycloakOIDCFilter|[https://www.keycloak.org/docs/latest/securing_apps/#_servlet_filter_adapter],]
but yet is not supported.
> Spark does not use SessionManager
> ---------------------------------
>
> Key: SPARK-38693
> URL: https://issues.apache.org/jira/browse/SPARK-38693
> Project: Spark
> Issue Type: Bug
> Components: Web UI
> Affects Versions: 3.2.1
> Reporter: Brad Solomon
> Priority: Major
>
> Spark's failure to use a `SessionManager` causes
> `java.lang.IllegalStateException: No SessionManager` that prevents Spark UI
> from being used with
> [org.keycloak.adapters.servlet.KeycloakOIDCFilter|#_servlet_filter_adapter]
> as the `spark.ui.filters` class.
>
> Sample logs:
>
> {code:java}
> spark_1 | 22/03/29 18:43:24 INFO KeycloakDeployment: Loaded URLs from
> http://REDACTED/auth/realms/master/.well-known/openid-configuration
> spark_1 | 22/03/29 18:43:24 WARN HttpChannel: /
> spark_1 | java.lang.IllegalStateException: No SessionManager{code}
>
> Configuration:
>
>
> {code:java}
> spark.ui.filters=org.keycloak.adapters.servlet.KeycloakOIDCFilter
> spark.acls.enable=true
> spark.admin.acls=*
> spark.ui.view.acls=*
> spark.org.keycloak.adapters.servlet.KeycloakOIDCFilter.param.keycloak.config.file=/opt/bitnami/spark/conf/spark-keycloak.json
>
> {code}
>
> Above `spark-keycloak.json` contains configuration generated in the Keycloak
> admin console. We can see that Spark gets as far as allowing the
> KeycloakOIDCFilter class to read this file and initiate communication with
> keycloak.
>
> This IllegalStateException exception emanates from Jetty:
>
> [https://github.com/eclipse/jetty.project/blob/ae5c8e34e7dd4f5cce5f649e48469ba3bbc51d91/jetty-server/src/main/java/org/eclipse/jetty/server/Request.java#L1524]
>
> It appears that Spark's `ServletContextHandler` has the ability to use a
> `SessionManager` but doesn't. This seems to be a blocker that prevents
> integration with Keycloak entirely.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
