[SPARK-4223] [Core] Support * in acls. #8398
Conversation
zhuoliu
changed the title
zhuoliu
changed the title
…port 'defaultuser, *' pattern
| @@ -310,7 +310,13 @@ private[spark] class SecurityManager(sparkConf: SparkConf) | |||
| setViewAcls(Set[String](defaultUser), allowedUsers) | |||
| } | |||
|
|
|||
| def getViewAcls: String = viewAcls.mkString(",") | |||
| def getViewAcls: String = { | |||
| if (viewAcls.contains("*")) { | |||
There was a problem hiding this comment.
It would be good here to put a comment that YARN requires only a * to be returned. you can't have *,user1,user2 to explain why we do this
|
Jenkins, test this please |
|
Test build #41646 has finished for PR 8398 at commit
|
| conf.set("spark.ui.view.acls", "*") | ||
| conf.set("spark.modify.acls", "user4") | ||
|
|
||
| val securityManager = new SecurityManager(conf); |
|
Just minor nits, otherwise LGTM. Also, minor, but we generally write "YARN" instead of "Yarn" in comments. |
|
retest this please |
|
Thanks @vanzin, comments addressed. |
|
Test build #41651 has finished for PR 8398 at commit
|
|
I think it would be nice if we update the docs to tell users * is supported. Can you update docs/configuration.md. Perhaps under each description of modify.acsl, view.acls, admin.acls add something that says Special value of * means anyone |
|
Sure. Docs updated. |
|
Jenkins, ok to test |
|
retest this please |
|
Test build #41699 has finished for PR 8398 at commit
|
|
retest this please |
|
Test build #41703 has finished for PR 8398 at commit
|
| def getModifyAcls: String = modifyAcls.mkString(",") | ||
| /** | ||
| * Checking the existence of "*" is necessary as YARN can't recognize the "*" in "defaultuser,*" | ||
| */ |
There was a problem hiding this comment.
nit - spacing off. remove space before *
|
@rxin @JoshRosen Since this is in core would one of you like to take a look. Minor nit in spacing otherwise LGTM. |
|
Test build #41746 has finished for PR 8398 at commit
|
|
LGTM - I've merged this. |
SPARK-4223.
Currently we support setting view and modify acls but you have to specify a list of users. It would be nice to support * meaning all users have access.
Manual tests to verify that: "*" works for any user in:
a. Spark ui: view and kill stage. Done.
b. Spark history server. Done.
c. Yarn application killing. Done.