Managing Spark application permissions
Authorize Spark application submissions, management, and use.
Procedure
Use CQL shell (cqlsh) to authorize access to DSE Resource Manager and Spark
applications. All commands must be entered on a DSE Analytics node in the
cluster.
-
Access to DSE Resource Manager:
GRANT EXECUTE ON REMOTE OBJECT DseResourceManager TO role_name;
-
Run applications:
GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO role_name
Note: Each DSE Analytics user must have permission to make remote procedure calls with DSE client tools. -
For roles that are not superusers, access to the following tables is
required:
GRANT SELECT ON system.size_estimates TO role_name; GRANT SELECT ON "HiveMetaStore".sparkmetastore TO role_name; GRANT MODIFY ON "HiveMetaStore".sparkmetastore TO role_name;
-
Submit applications:
- To all
datacenters:
GRANT CREATE ON ANY WORKPOOL TO role_name;
Tip: Use revoke command to remove access:REVOKE CREATE ON ANY WORKPOOL FROM role_name;
- A particular
datacenter:
GRANT CREATE ON WORKPOOL datacenter_name TO role_name;
Tip: Use revoke command to remove access:REVOKE CREATE ON WORKPOOL datacenter_name FROM role_name;
Note: The role used to submit an application is automatically granted permission to MODIFY the application. - To all
datacenters:
-
Modify applications:
- All applications:
GRANT MODIFY ON ANY SUBMISSION TO role_name;
Tip: Use revoke command to remove access:REVOKE MODIFY ON ANY SUBMISSION FROM role_name;
- All applications in a particular
datacenter:
GRANT MODIFY ON ANY SUBMISSION IN WORKPOOL datacenter_name TO role_name;
Tip: Use revoke command to remove access:REVOKE MODIFY ON ANY SUBMISSION IN WORKPOOL datacenter_name FROM role_name;
- Specific application in a particular
datacenter:
GRANT MODIFY ON SUBMISSION id IN WORKPOOL datacenter_name TO role_name;
Tip: Use revoke command to remove access:REVOKE MODIFY ON SUBMISSION id IN WORKPOOL datacenter_name FROM role_name;
- All applications:
-
Use DSE GraphFrames:
GRANT EXECUTE ON REMOTE OBJECT DseGraphRpc TO role_name;