Authorizing dse client-tool spark and dse spark
To run the dse client-tool spark or dse spark using a non-superuser role, authorize the role to EXECUTE on the following resource:
-
REMOTE OBJECT DseClientTool
When an unauthorized user attempts to run the command, launch a spark console session, as shown in the following example:
dse -u jane -p password sparkAn unauthorized error displays:
The log file is at /home/automaton/.spark-shell.log
ERROR 2018-07-10 19:23:04,382 org.apache.spark.deploy.DseSparkSubmitBootstrapper: Failed to start or submit Spark application because of com.datastax.driver.core.exceptions.UnauthorizedException: User jane has no EXECUTE permission on <rpc method DseClientTool.getSparkMetricsConfig> or any of its parents - see details in the log file(s): /home/automaton/.spark-shell.log
ERROR 2018-07-10 19:23:04,682 org.apache.spark.deploy.DseSparkSubmitBootstrapper: Failed to cancel delegation tokenProcedure
-
Log in to
cqlshwith an account that has authorization permission on remote objects.cqlsh -u sec_admin -
Give
EXECUTEpermission to the role.GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO jane; -
Optional: Test that a user with the role, for example,
jane, can execute a command.dse -u jane -p password sparkThe log file is at /home/automaton/.spark-shell.log Creating a new Spark Session Welcome to ____ __ / __/__ ___ _____/ /__ _\ \/ _ \/ _ `/ __/ '_/ /___/ .__/\_,_/_/ /_/\_\ version 2.2.0.14 /_/ Using Scala version 2.11.8 (Java HotSpot(TM) 64-Bit Server VM, Java 1.8.0_152) Type in expressions to have them evaluated. Type :help for more information. scala>
