Authorizing dse client-tool spark and dse spark

Authorization required to run dse client-tool spark or dse spark.

To run the or dse spark using a non-superuser role, authorize the role to EXECUTE on the following resources:
  • REMOTE OBJECT DseClientTool
When an unauthorized user attempts to run the command, for example launch a spark console session:
dse -u jane -p password spark
An unauthorized error displays:
The log file is at /home/automaton/.spark-shell.log
ERROR 2018-07-10 19:23:04,382 org.apache.spark.deploy.DseSparkSubmitBootstrapper: Failed to start or submit Spark application because of com.datastax.driver.core.exceptions.UnauthorizedException: User jane has no EXECUTE permission on <rpc method DseClientTool.getSparkMetricsConfig> or any of its parents - see details in the log file(s): /home/automaton/.spark-shell.log
ERROR 2018-07-10 19:23:04,682 org.apache.spark.deploy.DseSparkSubmitBootstrapper: Failed to cancel delegation token

Procedure

  1. Log in to cqlsh with an account that has authorization permission on remote objects.
    cqlsh -u sec_admin
  2. Give EXECUTE permission to the role.
    GRANT EXECUTE ON REMOTE OBJECT DseClientTool TO jane;
  3. (Optional) Test that a user with the role can execute a command.
    dse -u jane -p password spark
    The log file is at /home/automaton/.spark-shell.log
    Creating a new Spark Session
    Welcome to
          ____              __
         / __/__  ___ _____/ /__
        _\ \/ _ \/ _ `/ __/  '_/
       /___/ .__/\_,_/_/ /_/\_\   version 2.2.0.14
          /_/
    
    Using Scala version 2.11.8 (Java HotSpot(TM) 64-Bit Server VM, Java 1.8.0_152)
    Type in expressions to have them evaluated.
    Type :help for more information.
    
    scala>