Multi-user support for Spark standalone mode

1,394 views
Skip to first unread message

Jerry Shao

unread,
Jul 25, 2013, 2:12:52ā€ÆAM7/25/13
to spark-de...@googlegroups.com
Hi all,

Currently we face two problems when submitting Spark apps into Spark cluster with different users:
  1. StandaloneExecutorBackend do not distinguish the user who submits app and will run as cluster user, this will cause hdfs file permission issue, also hdfs user isolation mechanism may not work on Spark.
  2. For security hdfs, Spark can only use cluster credentials to get hdfs authentication, not the user's credentials who submit apps.
Our current method is to pass the user to StandaloneExecutorBackend, StandaloneExecutorBackend start itself using Hadoop UserGroupInformation's doAs to run Ā as specific user. For security hdfs, a proxy user will be created to get kerberos authentication.Ā 

I think it's not the elegant way to solve this problem, I post here to see any suggestion about this problem.

BTW, I heard some Yahoo guys are focusing on Spark multi-user and security things, is there anything you can share :-)

Thanks
Jerry

Mridul Muralidharan

unread,
Jul 25, 2013, 3:35:01ā€ÆAM7/25/13
to spark-de...@googlegroups.com
I will let Tom comment more, but most of the initial work has been
primarily on the yarn mode - not standalone mode.
In yarn mode, you launch the job as the specific user, and if the
hadoop cluster is security aware, passing/validation of delegation
token is done, etc.


Regards,
Mridul
> --
> You received this message because you are subscribed to the Google Groups
> "Spark Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to spark-develope...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Reynold Xin

unread,
Jul 25, 2013, 3:37:18ā€ÆAM7/25/13
to spark-de...@googlegroups.com, Thomas Graves
+Tom in this he is not subscribed.Ā 

moji...@gmail.com

unread,
Jul 25, 2013, 5:41:11ā€ÆAM7/25/13
to spark-de...@googlegroups.com

Hi all

Ā Ā Ā 

Ā Ā Ā Ā  IĀ  deployĀ  aĀ  spark cluster withĀ  standalone mode (no useĀ  Mesos), andĀ  start the cluster by the defualt user ---Ā Spark. Then i run the shark , suppose i am the user --Ā Shark怂Please pay attention to the user i use

Ā  Ā Ā Ā Now i executed some sql sentence in Shark , for example " select * from table" , but it throw the exceptionļ¼š

Ā 

Ā Ā Ā Ā Ā rg.apache.hadoop.hive.ql.metadata.HiveException: org.apache.hadoop.security.AccessControlException: Permission denied: user=shark, access=ALL, inode="/tmp/hive_2013-07-Ā Ā Ā Ā  16_849_1224166558688754033/_task_tmp.-ext-10001" park:upergroupĀ  rwxr-xr-x

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:205)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkSubAccess(FSPermissionChecker.java:174)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:144)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:4547)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.deleteInternal(FSNamesystem.java:2679)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.deleteInt(FSNamesystem.java:2643)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.delete(FSNamesystem.java:2626)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.delete(NameNodeRpcServer.java:612)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.delete(ClientNamenodeProtocolServerSideTranslatorPB.java:406)

Ā Ā Ā Ā Ā Ā Ā  at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java:44094)

Ā Ā Ā Ā 

Ā  Ā Ā and then i found the directory in HDFS: (the currentĀ hive.exec.scratchdirĀ Ā is set toĀ /tmpĀ )

Ā  Ā drwxrwxrwxĀ  sharkĀ  supergroupĀ Ā  2013-07-16 15:45 /tmp/hive_2013-07-Ā 

Ā Ā  16_849_1224166558688754033

Ā  Ā obviouslyļ¼Œthe owner of the directory is Shark (the user i start shark), but this directory contain:

Ā  Ā Ā drwxr-xr-xĀ Ā  - spark supergroupĀ Ā Ā Ā Ā Ā Ā Ā Ā  0 2013-07-16 15:54 /tmp/hive_2013-07-Ā 

Ā Ā Ā  16_849_1224166558688754033/-ext-10001

Ā Ā Ā  drwxr-xr-xĀ Ā  - spark supergroupĀ Ā Ā Ā Ā Ā Ā Ā Ā  0 2013-07-16 15:54 /tmp/hive_2013-07-Ā 

Ā Ā  16_849_1224166558688754033/_task_tmp.-ext-10001

Ā  Ā Ā Ā the owner isĀ Spark( the user i start Sparkļ¼‰Ā !!!!

Ā  Ā  Ā In my option, when i execute "select xxxx"Ā  it would generate some temp file , such as above /tmp/hive-xxxxxx. And the owner of this directory is shark, that is reasonableļ¼Œbecause i start shark with user--shark,Ā  butĀ  why the owner of the subdirectory of this directory ( e.g. _task_tmp.-ext-10001) is spark ( maybe i start the spark with user --Spark).

Ā Ā Ā Ā Ā  Now the problem comes, looking at the exception, it said thatĀ Ā SharkĀ must has the ALL permissionĀ  of directoryĀ  _task_tmp.-ext-10001ļ¼Œbut now the access control of _task_tmp.-ext-10001 is (Spark:upergroupĀ  rwxr-xr-x)

Ā  Ā  Ā  Ā My question is: i have to start shark and spark using the same user? But if so , it is so

Strange. If several users want to use shark, how could i do?

Jerry Shao

unread,
Jul 25, 2013, 6:04:47ā€ÆAM7/25/13
to spark-de...@googlegroups.com
Hi,

This is the problem what I mentioned previously. Spark StandaloneExecutorBackend do not use the user (shark) who submits app to communicate with hdfs, instead it uses the user (spark) who start Spark cluster, so it will cause file permission exception. Subdirectory and file is created in the task run on ExecutorBackend with user (spark) which cannot be deleted by user (shark).Ā 

Currently the only way is to run all the stuff in the same user. we are focusing on this issue and will solve it ASAP.

Thanks
Jerry


åœØ 2013幓7꜈25ę—„ę˜ŸęœŸå››UTC+8äø‹åˆ5ę—¶41分11ē§’ļ¼Œmoji...@gmail.com写道ļ¼š

Thomas graves

unread,
Jul 25, 2013, 1:22:00ā€ÆPM7/25/13
to spark-de...@googlegroups.com

Yeah currently I have been working on the yarn mode so its passing the delegation token from the master to workers and running things as the appropriate user.Ā Ā  But it just runs one job and then exits also right now. Once we have that working we do want to start looking at having the yarn mode be longer lived similar to standalone and allow for multi-tenancy.Ā Ā But unfortunately I haven't looked at it yet.

I'm also working on security for securing the internal SPARK connections, the first cut is a simple shared secret exchange to authenticate.

For the secure hdfs you need to either ship the UGI (with credentials) around or a key tab file.Ā Ā Something that lets the individual user authenticate.

I don't think you need to run the actual process as the user if its just the hdfs security that is the issue, but for a true multi tenant secure environment you would want to. It looks like the ApplicationDescription is already pulling the user from the environmentĀ Ā via the user.name property. Are you using using that user for the doAs?

I'm not sure I completely understand how you are using the proxy user? Are you having the spark user be the proxy user that then access hdfs on behalf of the user?

Tom



--

Jerry Shao

unread,
Jul 25, 2013, 9:27:31ā€ÆPM7/25/13
to spark-de...@googlegroups.com
Hi Tom,Ā 

Thanks for your replying, actually I use the user in the ApplicationDsecription for doAs like the below code. if security is enabled I will create the proxy user to pass the Kerberos authentication using spark user, and actually communicate with hdfs using app user; if security is not enabled, I simply create the remote user for doAs

val ugi = if (isSecurityOn) {
Ā  Ā  Ā  UserGroupInformation.createProxyUser(user, UserGroupInformation.getLoginUser())
Ā  Ā  } else {
Ā  Ā  Ā  UserGroupInformation.createRemoteUser(user)
Ā  Ā  }

Ā  Ā  ugi.doAs(new PrivilegedExceptionAction[Unit] {
Ā  Ā  Ā  def run: Unit = {
Ā  Ā  Ā  Ā  func(args)
Ā  Ā  Ā  }
Ā  Ā  })

This can be worked with or without security enabled, one problem when security is enabled is that each task in Spark should get Kerberos authentication to access hdfs, it will delay the execution time, also KDC will be the SPOF. I think the good solution is that client driver get hdfs delegation token and broadcast to all tasks, task use this delegation token to access the hdfs, do you think it's reasonable and applicable ?

BTW, do you have any plan to support multi-user in Spark standalone mode? If you have a whole plan then I can currently use this method until you submit a patch, otherwise I will focus on it.

BR
Jerry

åœØ 2013幓7꜈26ę—„ę˜ŸęœŸäŗ”UTC+8äøŠåˆ1ę—¶22分00ē§’ļ¼ŒThomas graves写道ļ¼š

Thomas graves

unread,
Jul 26, 2013, 9:50:04ā€ÆAM7/26/13
to spark-de...@googlegroups.com
Hey Jerry,

Ok, the doAs logic makes sense now.

Yes I agree, having the client authenticate and then pass it around is a good idea - this is what I meant by ship the UGI with the credentials. Ā This is how Hadoop YARN/MapReduce does it too. Ā 

There are a few other issues that might need to be addressed with this though too. Hadoop tokens only live for a certain amount of time - there is actually 2 timeouts - a soft one (renewal interval) and then a hard one (max lifetime). The soft one requires you to renew it within that interval if you are going to keep using it (default 24 hours), but it can only be renewed up to the hard limit. Ā So for instance the default hard limit is 1 week so after that you have to get a new token. Ā Those are configurable so as long as you can set them pretty high it might not be an issue or if your jobs don't run for that long its not an issue either. Ā  I haven't tried out the spark streaming stuff but it might be more of an issue there. Ā It is definitely an issue on YARN though as there are tokens for talking to the ResourceManager to request more resources too. Ā So long lived spark processes would somehow need to renew the tokens and then possibly after a week get a new one. Ā Its actually an issue for other long lived processes using Hadoop and there are a few people thinking about that issue. Ā 

I don't have plans for supporting it in standalone mode, but we essentially want to go that way on YARN to allow multi-tenancy on a single Spark instance running on top of YARN. The issues there are the same so I think you solve it for one it works on the other. But that timeline for me is out quite a ways so if you want something soon you might want to work on it.

Tom

Jerry Shao

unread,
Jul 29, 2013, 10:20:13ā€ÆPM7/29/13
to spark-de...@googlegroups.com
Hi Tom,Ā 

Thanks for your replying.

I agree with you that renew a token for long-run apps in Spark is necessary. Hadoop has a mechanism to nominate a token renew service to renew a soft expired token, and it assumes that jobs in Hadoop cannot run longer than 7 days. I'm not sure Hadoop exposes some APIs to use to update token, otherwise a token renew service should be created in Spark.

Furthermore, after a token is hard expired, a new token should be created, distributed to Spark cluster, a better way to handle all of this is need.

Thanks
JerryĀ 

åœØ 2013幓7꜈26ę—„ę˜ŸęœŸäŗ”UTC+8äø‹åˆ9ę—¶50分04ē§’ļ¼ŒThomas graves写道ļ¼š
Reply all
Reply to author
Forward
0 new messages