Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPARK-1890 and SPARK-1891- add admin and modify acls #1196

Closed
wants to merge 4 commits into from
Closed

SPARK-1890 and SPARK-1891- add admin and modify acls #1196

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
72eb0ac
Add modify acls
tgravescs Jun 23, 2014
4c765f4
Add in admin acls
tgravescs Jun 24, 2014
b92ec89
remove unneeded variable from applistener
tgravescs Jun 24, 2014
8292eb1
review comments
tgravescs Jul 15, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 81 additions & 16 deletions core/src/main/scala/org/apache/spark/SecurityManager.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,10 +41,19 @@ import org.apache.spark.deploy.SparkHadoopUtil
* secure the UI if it has data that other users should not be allowed to see. The javax
* servlet filter specified by the user can authenticate the user and then once the user
* is logged in, Spark can compare that user versus the view acls to make sure they are
* authorized to view the UI. The configs 'spark.ui.acls.enable' and 'spark.ui.view.acls'
* authorized to view the UI. The configs 'spark.acls.enable' and 'spark.ui.view.acls'
* control the behavior of the acls. Note that the person who started the application
* always has view access to the UI.
*
* Spark has a set of modify acls (`spark.modify.acls`) that controls which users have permission
* to modify a single application. This would include things like killing the application. By
* default the person who started the application has modify access. For modify access through
* the UI, you must have a filter that does authentication in place for the modify acls to work
* properly.
*
* Spark also has a set of admin acls (`spark.admin.acls`) which is a set of users/administrators
* who always have permission to view or modify the Spark application.
*
* Spark does not currently support encryption after authentication.
*
* At this point spark has multiple communication protocols that need to be secured and
Expand Down Expand Up @@ -137,18 +146,32 @@ private[spark] class SecurityManager(sparkConf: SparkConf) extends Logging {
private val sparkSecretLookupKey = "sparkCookie"

private val authOn = sparkConf.getBoolean("spark.authenticate", false)
private var uiAclsOn = sparkConf.getBoolean("spark.ui.acls.enable", false)
// keep spark.ui.acls.enable for backwards compatibility with 1.0
private var aclsOn = sparkConf.getOption("spark.acls.enable").getOrElse(
sparkConf.get("spark.ui.acls.enable", "false")).toBoolean

// admin acls should be set before view or modify acls
private var adminAcls: Set[String] =
stringToSet(sparkConf.get("spark.admin.acls", ""))

private var viewAcls: Set[String] = _

// list of users who have permission to modify the application. This should
// apply to both UI and CLI for things like killing the application.
private var modifyAcls: Set[String] = _

// always add the current user and SPARK_USER to the viewAcls
private val defaultAclUsers = Seq[String](System.getProperty("user.name", ""),
private val defaultAclUsers = Set[String](System.getProperty("user.name", ""),
Option(System.getenv("SPARK_USER")).getOrElse(""))

setViewAcls(defaultAclUsers, sparkConf.get("spark.ui.view.acls", ""))
setModifyAcls(defaultAclUsers, sparkConf.get("spark.modify.acls", ""))

private val secretKey = generateSecretKey()
logInfo("SecurityManager: authentication " + (if (authOn) "enabled" else "disabled") +
"; ui acls " + (if (uiAclsOn) "enabled" else "disabled") +
"; users with view permissions: " + viewAcls.toString())
"; ui acls " + (if (aclsOn) "enabled" else "disabled") +
"; users with view permissions: " + viewAcls.toString() +
"; users with modify permissions: " + modifyAcls.toString())

// Set our own authenticator to properly negotiate user/password for HTTP connections.
// This is needed by the HTTP client fetching from the HttpServer. Put here so its
Expand All @@ -169,18 +192,43 @@ private[spark] class SecurityManager(sparkConf: SparkConf) extends Logging {
)
}

private[spark] def setViewAcls(defaultUsers: Seq[String], allowedUsers: String) {
viewAcls = (defaultUsers ++ allowedUsers.split(',')).map(_.trim()).filter(!_.isEmpty).toSet
/**
* Split a comma separated String, filter out any empty items, and return a Set of strings
*/
private def stringToSet(list: String): Set[String] = {
(list.split(',')).map(_.trim()).filter(!_.isEmpty).toSet
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: too many parentheses

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed a couple.

}

private[spark] def setViewAcls(defaultUsers: Set[String], allowedUsers: String) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More out of curiosity: since the class is already "private[spark]", is the modifier also needed here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no I don't believe it is needed, I'll remove them.

viewAcls = (adminAcls ++ defaultUsers ++ stringToSet(allowedUsers))
logInfo("Changing view acls to: " + viewAcls.mkString(","))
}

private[spark] def setViewAcls(defaultUser: String, allowedUsers: String) {
setViewAcls(Seq[String](defaultUser), allowedUsers)
setViewAcls(Set[String](defaultUser), allowedUsers)
}

private[spark] def getViewAcls: String = viewAcls.mkString(",")

private[spark] def setModifyAcls(defaultUsers: Set[String], allowedUsers: String) {
modifyAcls = (adminAcls ++ defaultUsers ++ stringToSet(allowedUsers))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this require that setAdminAcls() always be called before this method? It sounds like it would be very easy to get tricked by that.

I think it would be better to either calculate the view ACLs as part of the getter, or to call this as part of setAdminAcls() too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it requires it set before. I went back and forth on this a bit and choose to keep it this way since its private and only really called in once place at this point (history ui). And actually only the view one is called the modify one isn't called anywhere outside of this class. We could add the additional logic but I kind of see it as just overhead right now. Normally everything is initialized just when you create the securityManager and so these routines aren't called outside of here.

I could be swayed to change it. I should atleast add a comment here also. I have it in some other places, but should add here too.

logInfo("Changing modify acls to: " + modifyAcls.mkString(","))
}

private[spark] def setUIAcls(aclSetting: Boolean) {
uiAclsOn = aclSetting
logInfo("Changing acls enabled to: " + uiAclsOn)
private[spark] def getModifyAcls: String = modifyAcls.mkString(",")

/**
* Admin acls should be set before the view or modify acls. If you modify the admin
* acls you should also set the view and modify acls again to pick up the changes.
*/
private[spark] def setAdminAcls(adminUsers: String) {
adminAcls = stringToSet(adminUsers)
logInfo("Changing admin acls to: " + adminAcls.mkString(","))
}

private[spark] def setAcls(aclSetting: Boolean) {
aclsOn = aclSetting
logInfo("Changing acls enabled to: " + aclsOn)
}

/**
Expand Down Expand Up @@ -224,22 +272,39 @@ private[spark] class SecurityManager(sparkConf: SparkConf) extends Logging {
* Check to see if Acls for the UI are enabled
* @return true if UI authentication is enabled, otherwise false
*/
def uiAclsEnabled(): Boolean = uiAclsOn
def aclsEnabled(): Boolean = aclsOn

/**
* Checks the given user against the view acl list to see if they have
* authorization to view the UI. If the UI acls must are disabled
* via spark.ui.acls.enable, all users have view access.
* authorization to view the UI. If the UI acls are disabled
* via spark.acls.enable, all users have view access. If the user is null
* it is assumed authentication isn't turned on and all users have access.
*
* @param user to see if is authorized
* @return true is the user has permission, otherwise false
*/
def checkUIViewPermissions(user: String): Boolean = {
logDebug("user=" + user + " uiAclsEnabled=" + uiAclsEnabled() + " viewAcls=" +
logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " viewAcls=" +
viewAcls.mkString(","))
if (uiAclsEnabled() && (user != null) && (!viewAcls.contains(user))) false else true
if (aclsEnabled() && (user != null) && (!viewAcls.contains(user))) false else true
}

/**
* Checks the given user against the modify acl list to see if they have
* authorization to modify the application. If the UI acls are disabled
* via spark.acls.enable, all users have modify access. If the user is null
* it is assumed authentication isn't turned on and all users have access.
*
* @param user to see if is authorized
* @return true is the user has permission, otherwise false
*/
def checkModifyPermissions(user: String): Boolean = {
logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " modifyAcls=" +
modifyAcls.mkString(","))
if (aclsEnabled() && (user != null) && (!modifyAcls.contains(user))) false else true
}


/**
* Check to see if authentication for the Spark communication protocols is enabled
* @return true if authentication is enabled, otherwise false
Expand Down
4 changes: 3 additions & 1 deletion core/src/main/scala/org/apache/spark/deploy/history/FsHistoryProvider.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,9 @@ private[history] class FsHistoryProvider(conf: SparkConf) extends ApplicationHis

if (ui != null) {
val uiAclsEnabled = conf.getBoolean("spark.history.ui.acls.enable", false)
ui.getSecurityManager.setUIAcls(uiAclsEnabled)
ui.getSecurityManager.setAcls(uiAclsEnabled)
// make sure to set admin acls before view acls so properly picked up
ui.getSecurityManager.setAdminAcls(appListener.adminAcls)
ui.getSecurityManager.setViewAcls(appListener.sparkUser, appListener.viewAcls)
}
(appInfo, ui)
Expand Down
4 changes: 2 additions & 2 deletions core/src/main/scala/org/apache/spark/scheduler/ApplicationEventListener.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ private[spark] class ApplicationEventListener extends SparkListener {
var startTime = -1L
var endTime = -1L
var viewAcls = ""
var enableViewAcls = false
var adminAcls = ""

def applicationStarted = startTime != -1

Expand All @@ -55,7 +55,7 @@ private[spark] class ApplicationEventListener extends SparkListener {
val environmentDetails = environmentUpdate.environmentDetails
val allProperties = environmentDetails("Spark Properties").toMap
viewAcls = allProperties.getOrElse("spark.ui.view.acls", "")
enableViewAcls = allProperties.getOrElse("spark.ui.acls.enable", "false").toBoolean
adminAcls = allProperties.getOrElse("spark.admin.acls", "")
}
}
}
2 changes: 1 addition & 1 deletion core/src/main/scala/org/apache/spark/ui/jobs/JobProgressTab.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ private[ui] class JobProgressTab(parent: SparkUI) extends WebUITab(parent, "stag
def isFairScheduler = listener.schedulingMode.exists(_ == SchedulingMode.FAIR)

def handleKillRequest(request: HttpServletRequest) = {
if (killEnabled) {
if ((killEnabled) && (parent.securityManager.checkModifyPermissions(request.getRemoteUser))) {
val killFlag = Option(request.getParameter("terminate")).getOrElse("false").toBoolean
val stageId = Option(request.getParameter("id")).getOrElse("-1").toInt
if (stageId >= 0 && killFlag && listener.activeStages.contains(stageId)) {
Expand Down
83 changes: 75 additions & 8 deletions core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ class SecurityManagerSuite extends FunSuite {
conf.set("spark.ui.view.acls", "user1,user2")
val securityManager = new SecurityManager(conf);
assert(securityManager.isAuthenticationEnabled() === true)
assert(securityManager.uiAclsEnabled() === true)
assert(securityManager.aclsEnabled() === true)
assert(securityManager.checkUIViewPermissions("user1") === true)
assert(securityManager.checkUIViewPermissions("user2") === true)
assert(securityManager.checkUIViewPermissions("user3") === false)
Expand All @@ -41,23 +41,90 @@ class SecurityManagerSuite extends FunSuite {
val conf = new SparkConf
conf.set("spark.ui.view.acls", "user1,user2")
val securityManager = new SecurityManager(conf);
securityManager.setUIAcls(true)
assert(securityManager.uiAclsEnabled() === true)
securityManager.setUIAcls(false)
assert(securityManager.uiAclsEnabled() === false)
securityManager.setAcls(true)
assert(securityManager.aclsEnabled() === true)
securityManager.setAcls(false)
assert(securityManager.aclsEnabled() === false)

// acls are off so doesn't matter what view acls set to
assert(securityManager.checkUIViewPermissions("user4") === true)

securityManager.setUIAcls(true)
assert(securityManager.uiAclsEnabled() === true)
securityManager.setViewAcls(ArrayBuffer[String]("user5"), "user6,user7")
securityManager.setAcls(true)
assert(securityManager.aclsEnabled() === true)
securityManager.setViewAcls(Set[String]("user5"), "user6,user7")
assert(securityManager.checkUIViewPermissions("user1") === false)
assert(securityManager.checkUIViewPermissions("user5") === true)
assert(securityManager.checkUIViewPermissions("user6") === true)
assert(securityManager.checkUIViewPermissions("user7") === true)
assert(securityManager.checkUIViewPermissions("user8") === false)
assert(securityManager.checkUIViewPermissions(null) === true)
}

test("set security modify acls") {
val conf = new SparkConf
conf.set("spark.modify.acls", "user1,user2")

val securityManager = new SecurityManager(conf);
securityManager.setAcls(true)
assert(securityManager.aclsEnabled() === true)
securityManager.setAcls(false)
assert(securityManager.aclsEnabled() === false)

// acls are off so doesn't matter what view acls set to
assert(securityManager.checkModifyPermissions("user4") === true)

securityManager.setAcls(true)
assert(securityManager.aclsEnabled() === true)
securityManager.setModifyAcls(Set("user5"), "user6,user7")
assert(securityManager.checkModifyPermissions("user1") === false)
assert(securityManager.checkModifyPermissions("user5") === true)
assert(securityManager.checkModifyPermissions("user6") === true)
assert(securityManager.checkModifyPermissions("user7") === true)
assert(securityManager.checkModifyPermissions("user8") === false)
assert(securityManager.checkModifyPermissions(null) === true)
}

test("set security admin acls") {
val conf = new SparkConf
conf.set("spark.admin.acls", "user1,user2")
conf.set("spark.ui.view.acls", "user3")
conf.set("spark.modify.acls", "user4")

val securityManager = new SecurityManager(conf);
securityManager.setAcls(true)
assert(securityManager.aclsEnabled() === true)

assert(securityManager.checkModifyPermissions("user1") === true)
assert(securityManager.checkModifyPermissions("user2") === true)
assert(securityManager.checkModifyPermissions("user4") === true)
assert(securityManager.checkModifyPermissions("user3") === false)
assert(securityManager.checkModifyPermissions("user5") === false)
assert(securityManager.checkModifyPermissions(null) === true)
assert(securityManager.checkUIViewPermissions("user1") === true)
assert(securityManager.checkUIViewPermissions("user2") === true)
assert(securityManager.checkUIViewPermissions("user3") === true)
assert(securityManager.checkUIViewPermissions("user4") === false)
assert(securityManager.checkUIViewPermissions("user5") === false)
assert(securityManager.checkUIViewPermissions(null) === true)

securityManager.setAdminAcls("user6")
securityManager.setViewAcls(Set[String]("user8"), "user9")
securityManager.setModifyAcls(Set("user11"), "user9")
assert(securityManager.checkModifyPermissions("user6") === true)
assert(securityManager.checkModifyPermissions("user11") === true)
assert(securityManager.checkModifyPermissions("user9") === true)
assert(securityManager.checkModifyPermissions("user1") === false)
assert(securityManager.checkModifyPermissions("user4") === false)
assert(securityManager.checkModifyPermissions(null) === true)
assert(securityManager.checkUIViewPermissions("user6") === true)
assert(securityManager.checkUIViewPermissions("user8") === true)
assert(securityManager.checkUIViewPermissions("user9") === true)
assert(securityManager.checkUIViewPermissions("user1") === false)
assert(securityManager.checkUIViewPermissions("user3") === false)
assert(securityManager.checkUIViewPermissions(null) === true)

}


}

27 changes: 22 additions & 5 deletions docs/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -743,13 +743,13 @@ Apart from these, the following properties are also available, and may be useful
</td>
</tr>
<tr>
<td><code>spark.ui.acls.enable</code></td>
<td><code>spark.acls.enable</code></td>
<td>false</td>
<td>
Whether Spark web ui acls should are enabled. If enabled, this checks to see if the user has
access permissions to view the web ui. See <code>spark.ui.view.acls</code> for more details.
Also note this requires the user to be known, if the user comes across as null no checks
are done. Filters can be used to authenticate and set the user.
Whether Spark acls should are enabled. If enabled, this checks to see if the user has
access permissions to view or modify the job. Note this requires the user to be known,
so if the user comes across as null no checks are done. Filters can be used with the UI
to authenticate and set the user.
</td>
</tr>
<tr>
Expand All @@ -760,6 +760,23 @@ Apart from these, the following properties are also available, and may be useful
user that started the Spark job has view access.
</td>
</tr>
<tr>
<td><code>spark.modify.acls</code></td>
<td>Empty</td>
<td>
Comma separated list of users that have modify access to the Spark job. By default only the
user that started the Spark job has access to modify it (kill it for example).
</td>
</tr>
<tr>
<td><code>spark.admin.acls</code></td>
<td>Empty</td>
<td>
Comma separated list of users/administrators that have view and modify access to all Spark jobs.
This can be used if you run on a shared cluster and have a set of administrators or devs who
help debug when things work.
</td>
</tr>
</table>

#### Spark Streaming
Expand Down
7 changes: 5 additions & 2 deletions docs/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,11 @@ Spark currently supports authentication via a shared secret. Authentication can
* For Spark on [YARN](running-on-yarn.html) deployments, configuring `spark.authenticate` to `true` will automatically handle generating and distributing the shared secret. Each application will use a unique shared secret.
* For other types of Spark deployments, the Spark parameter `spark.authenticate.secret` should be configured on each of the nodes. This secret will be used by all the Master/Workers and applications.

The Spark UI can also be secured by using [javax servlet filters](http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html) via the `spark.ui.filters` setting. A user may want to secure the UI if it has data that other users should not be allowed to see. The javax servlet filter specified by the user can authenticate the user and then once the user is logged in, Spark can compare that user versus the view ACLs to make sure they are authorized to view the UI. The configs `spark.ui.acls.enable` and `spark.ui.view.acls` control the behavior of the ACLs. Note that the user who started the application always has view access to the UI.
On YARN, the Spark UI uses the standard YARN web application proxy mechanism and will authenticate via any installed Hadoop filters.
The Spark UI can also be secured by using [javax servlet filters](http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html) via the `spark.ui.filters` setting. A user may want to secure the UI if it has data that other users should not be allowed to see. The javax servlet filter specified by the user can authenticate the user and then once the user is logged in, Spark can compare that user versus the view ACLs to make sure they are authorized to view the UI. The configs `spark.acls.enable` and `spark.ui.view.acls` control the behavior of the ACLs. Note that the user who started the application always has view access to the UI. On YARN, the Spark UI uses the standard YARN web application proxy mechanism and will authenticate via any installed Hadoop filters.

Spark also supports modify ACLs to control who has access to modify a running Spark application. This includes things like killing the application or a task. This is controlled by the configs `spark.acls.enable` and `spark.modify.acls`. Note that if you are authenticating the web UI, in order to use the kill button on the web UI it might be necessary to add the users in the modify acls to the view acls also. On YARN, the modify acls are passed in and control who has modify access via YARN interfaces.

Spark allows for a set of administrators to be specified in the acls who always have view and modify permissions to all the applications. is controlled by the config `spark.admin.acls`. This is useful on a shared cluster where you might have administrators or support staff who help users debug applications.

If your applications are using event logging, the directory where the event logs go (`spark.eventLog.dir`) should be manually created and have the proper permissions set on it. If you want those log files secured, the permissions should be set to `drwxrwxrwxt` for that directory. The owner of the directory should be the super user who is running the history server and the group permissions should be restricted to super user group. This will allow all users to write to the directory but will prevent unprivileged users from removing or renaming a file unless they own the file or directory. The event log files will be created by Spark with permissions such that only the user and group have read and write access.

Expand Down
Loading