Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

What security is available for Spark?

Labels:
avatar
author-rank abajwa author-rank
Guru

Created ‎12-08-2015 05:14 AM

What security is available for Spark? How would the below security aspects work with Spark?

  1. authentication
  2. authorization
  3. audit
  4. encryption

For deployments where security is a concern, what mode of Spark should be used?

4,750 Views
1 ACCEPTED SOLUTION

avatar
author-rank vshukla
Guru

Created ‎12-08-2015 05:20 AM

1. Authentication

Spark supports running in a Kerberized Cluster.

Only Spark on YARN supports security (Kerberos support). From command line run kinit before submitting spark jobs.

LDAP Authentication, there is no Authentication in Spark UI OOB, supports filter for hooking in LDAP

2. Authorization

Spark reads data from HDFS & ORC etc and access control at HDFS level still applies. For example HDFS file permissions (& Ranger integration) applicable to Spark jobs

Spark submits job to YARN queue, so YARN queue ACL (& Ranger integration) applicable to Spark jobs

3. Audi

The Spark jobs are run on YARN and read from HDFS, HBase etc. So audit logs for YARN and HDFS access is still applicable and you can use Ranger to view this.

4. Wire Encryption

•Spark has some coverage, not all channels are covered

View solution in original post

1,257 Views
3 REPLIES 3

avatar
author-rank vshukla
Guru

Created ‎12-08-2015 05:20 AM

1. Authentication

Spark supports running in a Kerberized Cluster.

Only Spark on YARN supports security (Kerberos support). From command line run kinit before submitting spark jobs.

LDAP Authentication, there is no Authentication in Spark UI OOB, supports filter for hooking in LDAP

2. Authorization

Spark reads data from HDFS & ORC etc and access control at HDFS level still applies. For example HDFS file permissions (& Ranger integration) applicable to Spark jobs

Spark submits job to YARN queue, so YARN queue ACL (& Ranger integration) applicable to Spark jobs

3. Audi

The Spark jobs are run on YARN and read from HDFS, HBase etc. So audit logs for YARN and HDFS access is still applicable and you can use Ranger to view this.

4. Wire Encryption

•Spark has some coverage, not all channels are covered

1,258 Views

avatar
author-rank anandmurari
Explorer

Created ‎12-09-2015 02:51 PM

Spark authentication via a shared secret, Its basically handshaking mechanism to validate the same secret code, this can be configured thru spark.authenticate

1,257 Views
0 Kudos

avatar
author-rank stevel author-rank
Guru

Created ‎12-09-2015 07:14 PM

Note that Spark 1.5+ is needed for spark jobs of duration > 72h not to fail when their kerberos tickers expire. And you'll need to supply a keytab which the Spark AM can renew tickets with. For short-lived queries, this problem should not surface

1,257 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements