Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How to set up authentication for spark history server?

Labels:
michalLi
New Contributor

Created ‎08-23-2022 08:35 PM

Hi Guys,

 

I would like to know how to set up authentication for spark history server, so that unauthorized users cannot view the spark history server web ui, any help would be appreciated, thanks!

 

1. I do notice there are below statements in the official spark document:“Enabling authentication for the Web UIs is done using javax servlet filters. You will need a filter that implements the authentication method you want to deploy. Spark does not provide any built-in authentication filters.”

 2. There is also a thread on stackoverflow regardig this : “You re-use Hadoop's jetty authentication filter for Kerberos/SPNEGO: spark.ui.filters=org.apache.hadoop.security.authentication.server.AuthenticationFilter and spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params=type=kerberos,kerberos.principal=${spnego_principal_name},kerberos.keytab=${spnego_keytab_path}”.

 

with kerberos authentication enabled in CDH6.3, I followed the instructions in the above stackoverflow thread, but is unable to acheive the expected results, any user can view the spark history server web ui.

 

 

Thanks,

Michael

394 Views
0 Kudos
1 ACCEPTED SOLUTION

michalLi
New Contributor

Created ‎11-09-2022 07:44 PM

Just an update, this is resolved.

 

1. With kerberos authentication enabled, you can go to the spark service's configuration tab and turn on "history_server_spnego_enabled", which will "Enables user authentication using SPNEGO (requires Kerberos), and enables access control to application history data.", and after the restart, the shs webui will be authenticated, as below screenshot shows:

michalLi_0-1668051212950.png

 

michalLi_1-1668051365660.png

 

Underneath, the shs is restarted with below configuration:

spark.history.kerberos.enabled=true
spark.history.kerberos.principal=xx
spark.history.kerberos.keytab=xxx
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.type=kerberos
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.kerberos.principal=xx
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.kerberos.keytab=xx
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.kerberos.name.rules=xxx
spark.history.ui.acls.enable=true
spark.ui.filters=org.apache.spark.deploy.yarn.YarnProxyRedirectFilter,org.apache.hadoop.security.authentication.server.AuthenticationFilter

 

2. If kerberos is not enabled, you have to implement your own authentication filter and configure below parameters:

spark.ui.filters=org.apache.spark.deploy.yarn.YarnProxyRedirectFilter,your-authentication-filter-name

spark.your-authentication-filter-name.param.parm-name=parm-value

spark.history.ui.acls.enable

spark.history.ui.admin.acls

spark.history.ui.admin.acls.groups

 

 

View solution in original post

299 Views
0 Kudos
1 REPLY 1

michalLi
New Contributor

Created ‎11-09-2022 07:44 PM

Just an update, this is resolved.

 

1. With kerberos authentication enabled, you can go to the spark service's configuration tab and turn on "history_server_spnego_enabled", which will "Enables user authentication using SPNEGO (requires Kerberos), and enables access control to application history data.", and after the restart, the shs webui will be authenticated, as below screenshot shows:

michalLi_0-1668051212950.png

 

michalLi_1-1668051365660.png

 

Underneath, the shs is restarted with below configuration:

spark.history.kerberos.enabled=true
spark.history.kerberos.principal=xx
spark.history.kerberos.keytab=xxx
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.type=kerberos
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.kerberos.principal=xx
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.kerberos.keytab=xx
spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.param.kerberos.name.rules=xxx
spark.history.ui.acls.enable=true
spark.ui.filters=org.apache.spark.deploy.yarn.YarnProxyRedirectFilter,org.apache.hadoop.security.authentication.server.AuthenticationFilter

 

2. If kerberos is not enabled, you have to implement your own authentication filter and configure below parameters:

spark.ui.filters=org.apache.spark.deploy.yarn.YarnProxyRedirectFilter,your-authentication-filter-name

spark.your-authentication-filter-name.param.parm-name=parm-value

spark.history.ui.acls.enable

spark.history.ui.admin.acls

spark.history.ui.admin.acls.groups

 

 

300 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements