From 0d8333ce1b7b35343e09e418d224c94dc9aeb21b Mon Sep 17 00:00:00 2001 From: Thomas Graves Date: Thu, 24 Apr 2014 16:07:43 -0500 Subject: [PATCH] Add history ui policy to allow acls to either use application set, history server force acls on, or off --- .../spark/deploy/history/HistoryServer.scala | 29 +++++++++++++++++-- docs/monitoring.md | 12 ++++++++ 2 files changed, 38 insertions(+), 3 deletions(-) diff --git a/core/src/main/scala/org/apache/spark/deploy/history/HistoryServer.scala b/core/src/main/scala/org/apache/spark/deploy/history/HistoryServer.scala index 700b1cbc01e2c..d73587ae2896d 100644 --- a/core/src/main/scala/org/apache/spark/deploy/history/HistoryServer.scala +++ b/core/src/main/scala/org/apache/spark/deploy/history/HistoryServer.scala @@ -181,10 +181,15 @@ class HistoryServer( // Do not call ui.bind() to avoid creating a new server for each application replayBus.replay() if (appListener.applicationStarted) { - // Note this relies on the user setting acls properly. We could also add in a master config - // to the history server that admins would set if we don't trust the user. + HISTORY_UI_ACLS_POLICY match { + case HistoryUIAclPolicy.APPLICATION => + appSecManager.setUIAcls(appListener.enableViewAcls) + case HistoryUIAclPolicy.HISTORY_SERVER => + appSecManager.setUIAcls(true) + case HistoryUIAclPolicy.OFF => + appSecManager.setUIAcls(false) + } appSecManager.setViewAcls(appListener.sparkUser, appListener.viewAcls) - appSecManager.setUIAcls(appListener.enableViewAcls) attachSparkUI(ui) val appName = appListener.appName val sparkUser = appListener.sparkUser @@ -240,6 +245,20 @@ class HistoryServer( } } +/** + * This is the policy used by the history server for setting who has view permissions + * to the applications. + * APPLICATION uses the acl settings set by the user who ran the application. If it had + * acls enabled, then it will enforce those acls, otherwise anyone can view the application. + * HISTORY_SERVER enables the acls for all applications regardless of the application acl settings. + * OFF disables the acls for all applications regardless of the application acl settings. + */ +object HistoryUIAclPolicy extends Enumeration { + + type HistoryUIAclPolicy = Value + val APPLICATION, HISTORY_SERVER, OFF = Value +} + /** * The recommended way of starting and stopping a HistoryServer is through the scripts * start-history-server.sh and stop-history-server.sh. The path to a base log directory @@ -262,6 +281,10 @@ object HistoryServer { // The port to which the web UI is bound val WEB_UI_PORT = conf.getInt("spark.history.ui.port", 18080) + // the ui acl policy to apply to the applications + val HISTORY_UI_ACLS_POLICY = HistoryUIAclPolicy. + withName(conf.get("spark.history.ui.acls.policy", "APPLICATION")) + val STATIC_RESOURCE_DIR = SparkUI.STATIC_RESOURCE_DIR def main(argStrings: Array[String]) { diff --git a/docs/monitoring.md b/docs/monitoring.md index 347a9b1f1a329..fdca4163a1ab4 100644 --- a/docs/monitoring.md +++ b/docs/monitoring.md @@ -115,6 +115,18 @@ represents an application's event logs. This creates a web interface at Location of the kerberos keytab file for the History Server. + + spark.history.ui.acls.policy + APPLICATION + + This controls the policy used by the history server for setting who has view permissions + to the applications. There are three options: APPLICATION, HISTORY_SERVER, and OFF. + APPLICATIONS uses the acl settings set by the user who ran the application. If it had + acls enabled, then it will enforce those acls, otherwise anyone can view the application. + HISTORY_SERVER enables the acls for all applications regardless of the application acl settings. + OFF disables the acls for all applications regardless of the application acl settings. + + Note that in all of these UIs, the tables are sortable by clicking their headers,