Analytic applications
Syntax for authorizing Spark applications.
Authorize Spark applications on a DataStax Enterprise Analytics node.
Set permissions on roles to allow Spark applications to be started, stopped, managed, and
viewed. To configure the permissions for a particular role, modify the
WORKPOOL and SUBMISSION database objects by issuing CQL
commands.
There are two kinds of authorization permissions which apply to Spark. Work pool permissions control the ability to submit or view a Spark application to DSE. Submission permissions control the ability to view or manage a particular application. If authentication and authorization are enabled for the Spark web UI, these permissions control what the authenticated user is allowed to view and modify.
All the following instructions assume you are issuing the CQL commands as a database superuser. In order to issue the following CQL commands as a regular database user, the user needs to have permission to use the DSE resource manager RPC:
GRANT ALL ON REMOTE OBJECT DseResourceManager TO role;
Each DSE Analytics user needs to have permission to use the client tools RPC:
GRANT ALL ON REMOTE OBJECT DseClientTool TO role;
Spark application management permissions use the following modelled hierarchy:
- ANY WORKPOOL
- WORKPOOL 'datacenter_name.workpool_name'
- ANY SUBMISSION
- ANY SUBMISSION IN WORKPOOL
'datacenter_name.workpool_name'
- SUBMISSION id IN WORKPOOL 'datacenter_name.workpool_name'
- ANY SUBMISSION IN WORKPOOL
'datacenter_name.workpool_name'
Synopsis
- Any workpool in any Analytics datacenter in the
cluster:
GRANT permission_list ON ANY WORKPOOL TO role_name;
- All workpools in a specific Analytics datacenter (use asterisk instead of a workpool
name):
GRANT permission_list ON WORKPOOL 'datacenter_name.*' TO role_name; - Specific
workpool:
GRANT permission_list ON WORKPOOL 'datacenter_name.workpool_name' TO role_name;
- All applications in cluster:
GRANT permission_list ON ANY SUBMISSION TO role_name; - All applications in a datacenter (use an asterisk instead of a workpool
name):
GRANT permission_list ON ANY SUBMISSION IN WORKPOOL 'datacenter_name.*' TO role_name; - All applications in a
workpool:
GRANT permission_list ON ANY SUBMISSION IN WORKPOOL 'datacenter_name.workpool_name' TO role_name; - Specific application in a
workpool:
where id is a string that is either the Spark application ID or the ID of the Spark driver running in cluster mode.GRANT permission_list ON SUBMISSION id IN WORKPOOL 'datacenter_name.workpool_name' TO role_name;
Permission matrix
| Privilege | Resource | Permissions |
|---|---|---|
| CREATE | ANY WORKPOOL | Start and submit applications in any workpool in all Analytic datacenters. |
| CREATE | WORKPOOL 'datacenter_name.*' | Start and submit applications in all workpools of a specified datacenter. |
| CREATE | WORKPOOL 'datacenter_name.workpool_name' | Start and submit applications in a workpool of a specified datacenter. |
| DESCRIBE | ANY WORKPOOL | Browse all applications in the Spark web UI. |
| DESCRIBE | WORKPOOL 'datacenter_name.*' | Browse applications in the datacenter from the Spark web UI. |
| DESCRIBE | WORKPOOL 'datacenter_name.workpool_name' | Browse applications in the workpool from the Spark web UI. |
| DESCRIBE | ANY SUBMISSION | View all submissions, including executors. |
| DESCRIBE | ANY SUBMISSION IN WORKPOOL 'datacenter_name.*' | View all submissions, including executors in the datacenter specified. |
| DESCRIBE | ANY SUBMISSION IN WORKPOOL 'datacenter_name.workpool_name' | View all submissions, including executors in the workpool specified. |
| DESCRIBE | SUBMISSION id IN WORKPOOL 'datacenter_name.workpool_name' | View a submission, including executor. |
| MODIFY | ANY SUBMISSION | Manage and stop applications across the entire cluster. |
| MODIFY | ANY SUBMISSION IN WORKPOOL 'datacenter_name.workpool_name' | Manage and stop applications in the specified datacenter. |
| MODIFY | SUBMISSION id IN WORKPOOL 'datacenter_name.workpool_name' | Manage and stop a specific application. |