You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by rx...@apache.org on 2015/09/01 23:15:04 UTC
spark git commit: [SPARK-4223] [CORE] Support * in acls.
Repository: spark
Updated Branches:
refs/heads/master 3f63bd602 -> ec0128053
[SPARK-4223] [CORE] Support * in acls.
SPARK-4223.
Currently we support setting view and modify acls but you have to specify a list of users. It would be nice to support * meaning all users have access.
Manual tests to verify that: "*" works for any user in:
a. Spark ui: view and kill stage. Done.
b. Spark history server. Done.
c. Yarn application killing. Done.
Author: zhuol <zh...@yahoo-inc.com>
Closes #8398 from zhuoliu/4223.
Project: http://git-wip-us.apache.org/repos/asf/spark/repo
Commit: http://git-wip-us.apache.org/repos/asf/spark/commit/ec012805
Tree: http://git-wip-us.apache.org/repos/asf/spark/tree/ec012805
Diff: http://git-wip-us.apache.org/repos/asf/spark/diff/ec012805
Branch: refs/heads/master
Commit: ec012805337926e56343be2761a1037296446880
Parents: 3f63bd6
Author: zhuol <zh...@yahoo-inc.com>
Authored: Tue Sep 1 11:14:59 2015 -1000
Committer: Reynold Xin <rx...@databricks.com>
Committed: Tue Sep 1 11:14:59 2015 -1000
----------------------------------------------------------------------
.../org/apache/spark/SecurityManager.scala | 26 +++++++++++--
.../org/apache/spark/SecurityManagerSuite.scala | 41 ++++++++++++++++++++
docs/configuration.md | 9 +++--
3 files changed, 69 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/spark/blob/ec012805/core/src/main/scala/org/apache/spark/SecurityManager.scala
----------------------------------------------------------------------
diff --git a/core/src/main/scala/org/apache/spark/SecurityManager.scala b/core/src/main/scala/org/apache/spark/SecurityManager.scala
index 673ef49..746d208 100644
--- a/core/src/main/scala/org/apache/spark/SecurityManager.scala
+++ b/core/src/main/scala/org/apache/spark/SecurityManager.scala
@@ -310,7 +310,16 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
setViewAcls(Set[String](defaultUser), allowedUsers)
}
- def getViewAcls: String = viewAcls.mkString(",")
+ /**
+ * Checking the existence of "*" is necessary as YARN can't recognize the "*" in "defaultuser,*"
+ */
+ def getViewAcls: String = {
+ if (viewAcls.contains("*")) {
+ "*"
+ } else {
+ viewAcls.mkString(",")
+ }
+ }
/**
* Admin acls should be set before the view or modify acls. If you modify the admin
@@ -321,7 +330,16 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
logInfo("Changing modify acls to: " + modifyAcls.mkString(","))
}
- def getModifyAcls: String = modifyAcls.mkString(",")
+ /**
+ * Checking the existence of "*" is necessary as YARN can't recognize the "*" in "defaultuser,*"
+ */
+ def getModifyAcls: String = {
+ if (modifyAcls.contains("*")) {
+ "*"
+ } else {
+ modifyAcls.mkString(",")
+ }
+ }
/**
* Admin acls should be set before the view or modify acls. If you modify the admin
@@ -394,7 +412,7 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
def checkUIViewPermissions(user: String): Boolean = {
logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " viewAcls=" +
viewAcls.mkString(","))
- !aclsEnabled || user == null || viewAcls.contains(user)
+ !aclsEnabled || user == null || viewAcls.contains(user) || viewAcls.contains("*")
}
/**
@@ -409,7 +427,7 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
def checkModifyPermissions(user: String): Boolean = {
logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " modifyAcls=" +
modifyAcls.mkString(","))
- !aclsEnabled || user == null || modifyAcls.contains(user)
+ !aclsEnabled || user == null || modifyAcls.contains(user) || modifyAcls.contains("*")
}
http://git-wip-us.apache.org/repos/asf/spark/blob/ec012805/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
----------------------------------------------------------------------
diff --git a/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala b/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
index f34aefc..f29160d 100644
--- a/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
+++ b/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
@@ -125,6 +125,47 @@ class SecurityManagerSuite extends SparkFunSuite {
}
+ test("set security with * in acls") {
+ val conf = new SparkConf
+ conf.set("spark.ui.acls.enable", "true")
+ conf.set("spark.admin.acls", "user1,user2")
+ conf.set("spark.ui.view.acls", "*")
+ conf.set("spark.modify.acls", "user4")
+
+ val securityManager = new SecurityManager(conf)
+ assert(securityManager.aclsEnabled() === true)
+
+ // check for viewAcls with *
+ assert(securityManager.checkUIViewPermissions("user1") === true)
+ assert(securityManager.checkUIViewPermissions("user5") === true)
+ assert(securityManager.checkUIViewPermissions("user6") === true)
+ assert(securityManager.checkModifyPermissions("user4") === true)
+ assert(securityManager.checkModifyPermissions("user7") === false)
+ assert(securityManager.checkModifyPermissions("user8") === false)
+
+ // check for modifyAcls with *
+ securityManager.setModifyAcls(Set("user4"), "*")
+ assert(securityManager.checkModifyPermissions("user7") === true)
+ assert(securityManager.checkModifyPermissions("user8") === true)
+
+ securityManager.setAdminAcls("user1,user2")
+ securityManager.setModifyAcls(Set("user1"), "user2")
+ securityManager.setViewAcls(Set("user1"), "user2")
+ assert(securityManager.checkUIViewPermissions("user5") === false)
+ assert(securityManager.checkUIViewPermissions("user6") === false)
+ assert(securityManager.checkModifyPermissions("user7") === false)
+ assert(securityManager.checkModifyPermissions("user8") === false)
+
+ // check for adminAcls with *
+ securityManager.setAdminAcls("user1,*")
+ securityManager.setModifyAcls(Set("user1"), "user2")
+ securityManager.setViewAcls(Set("user1"), "user2")
+ assert(securityManager.checkUIViewPermissions("user5") === true)
+ assert(securityManager.checkUIViewPermissions("user6") === true)
+ assert(securityManager.checkModifyPermissions("user7") === true)
+ assert(securityManager.checkModifyPermissions("user8") === true)
+ }
+
test("ssl on setup") {
val conf = SSLSampleConfigs.sparkSSLConfig()
val expectedAlgorithms = Set(
http://git-wip-us.apache.org/repos/asf/spark/blob/ec012805/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 77c5cbc..fb0315c 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -1286,7 +1286,8 @@ Apart from these, the following properties are also available, and may be useful
<td>
Comma separated list of users/administrators that have view and modify access to all Spark jobs.
This can be used if you run on a shared cluster and have a set of administrators or devs who
- help debug when things work.
+ help debug when things work. Putting a "*" in the list means any user can have the priviledge
+ of admin.
</td>
</tr>
<tr>
@@ -1327,7 +1328,8 @@ Apart from these, the following properties are also available, and may be useful
<td>Empty</td>
<td>
Comma separated list of users that have modify access to the Spark job. By default only the
- user that started the Spark job has access to modify it (kill it for example).
+ user that started the Spark job has access to modify it (kill it for example). Putting a "*" in
+ the list means any user can have access to modify it.
</td>
</tr>
<tr>
@@ -1349,7 +1351,8 @@ Apart from these, the following properties are also available, and may be useful
<td>Empty</td>
<td>
Comma separated list of users that have view access to the Spark web ui. By default only the
- user that started the Spark job has view access.
+ user that started the Spark job has view access. Putting a "*" in the list means any user can
+ have view access to this Spark job.
</td>
</tr>
</table>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org