Managing Spark application permissions

Authorize Spark application submissions, management, and use.

Manage user access to Spark applications. The CQL resources for Spark applications are WORKPOOL and SUBMISSION. Create permissions on the workpool resource controls the ability of a user to submit a Spark application to DSE. Modify permissions on submission resource controls the ability of a user to manage and remove applications.

Procedure

Use CQL shell (cqlsh) to authorize access to DSE Resource Manager and Spark applications. All commands must be entered on a DSE Analytics node in the cluster.

  • Access to DSE Resource Manager:
    GRANT EXECUTE ON REMOTE OBJECT DseResourceManager TO role_name;
  • Run applications:
    GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO role_name
    Note: Each DSE Analytics user must have permission to make remote procedure calls with DSE client tools.
  • For roles that are not superusers, access to the following tables is required:
    GRANT SELECT ON system.size_estimates TO role_name;
    GRANT SELECT ON "HiveMetaStore".sparkmetastore TO role_name;
    GRANT MODIFY ON "HiveMetaStore".sparkmetastore TO role_name;
  • Submit applications:
    • To all datacenters:
      GRANT CREATE ON ANY WORKPOOL TO role_name;
      Tip: Use revoke command to remove access:
      REVOKE CREATE ON ANY WORKPOOL FROM role_name;
    • A particular datacenter:
      GRANT CREATE ON WORKPOOL datacenter_name TO role_name;
      Tip: Use revoke command to remove access:
      REVOKE CREATE ON WORKPOOL datacenter_name FROM role_name;
    Note: The role used to submit an application is automatically granted permission to MODIFY the application.
  • Modify applications:
    • All applications:
      GRANT MODIFY ON ANY SUBMISSION TO role_name;
      Tip: Use revoke command to remove access:
      REVOKE MODIFY ON ANY SUBMISSION FROM role_name;
    • All applications in a particular datacenter:
      GRANT MODIFY ON ANY SUBMISSION IN WORKPOOL datacenter_name TO role_name; 
      Tip: Use revoke command to remove access:
      REVOKE MODIFY ON ANY SUBMISSION IN WORKPOOL datacenter_name FROM role_name;
    • Specific application in a particular datacenter:
      GRANT MODIFY ON SUBMISSION id IN WORKPOOL datacenter_name TO role_name; 
      Tip: Use revoke command to remove access:
      REVOKE MODIFY ON SUBMISSION id IN WORKPOOL datacenter_name FROM role_name;
  • Use DSE GraphFrames:
    GRANT EXECUTE ON REMOTE OBJECT DseGraphRpc TO role_name;