Authorize Spark application submissions, management, and use.
Manage user access to Spark applications. The CQL resources for Spark applications
are WORKPOOL and SUBMISSION. Create permissions on the workpool resource controls the
ability of a user to submit a Spark application to DSE. Modify permissions on submission
resource controls the ability of a user to manage and remove applications.
Procedure
Use CQL shell (cqlsh) to authorize access to DSE Resource Manager and Spark
applications. All commands must be entered on a DSE Analytics node in the
cluster.
-
Access to DSE Resource Manager:
GRANT EXECUTE ON REMOTE OBJECT DseResourceManager TO role_name;
-
Run applications:
GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO role_name
Note: Each DSE Analytics user must have permission to make remote procedure
calls with DSE client tools.
-
For roles that are not superusers, access to the following tables is
required:
GRANT SELECT ON system.size_estimates TO role_name;
GRANT SELECT ON "HiveMetaStore".sparkmetastore TO role_name;
GRANT MODIFY ON "HiveMetaStore".sparkmetastore TO role_name;
-
Submit applications:
Note: The role used to submit an application is automatically granted permission
to MODIFY the application.
-
Modify applications:
- All applications:
GRANT MODIFY ON ANY SUBMISSION TO role_name;
Tip: Use revoke command to remove
access:
REVOKE MODIFY ON ANY SUBMISSION FROM role_name;
- All applications in a particular
datacenter:
GRANT MODIFY ON ANY SUBMISSION IN WORKPOOL datacenter_name TO role_name;
Tip: Use revoke command to remove
access:
REVOKE MODIFY ON ANY SUBMISSION IN WORKPOOL datacenter_name FROM role_name;
- Specific application in a particular
datacenter:
GRANT MODIFY ON SUBMISSION id IN WORKPOOL datacenter_name TO role_name;
Tip: Use revoke command to remove
access:
REVOKE MODIFY ON SUBMISSION id IN WORKPOOL datacenter_name FROM role_name;
-
Use DSE GraphFrames:
GRANT EXECUTE ON REMOTE OBJECT DseGraphRpc TO role_name;