Skip to main content

REVOKE command on Spark submissions fail with "resource doesn't exist"

Summary

This article relates to an issue where revoking permissions on a Spark submission fails.

Applies to

  • DataStax Enterprise 6.7.x
  • DataStax Enterprise 6.0.x
  • DataStax Enterprise 5.1.x

Symptom

Example permissions for a completed job:

admin@cqlsh> LIST ALL PERMISSIONS OF sparkrole;
 role      | username  | resource                                                               | permission | granted | restricted | grantable
-----------+-----------+------------------------------------------------------------------------+------------+---------+------------+-----------
 ...
 sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | MODIFY     | True    | False      | False
 sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | AUTHORIZE  | True    | False      | False
 sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | DESCRIBE   | True    | False      | False
 ...

Where a role has stale permissions, attempts to revoke all the permissions on the application ID fails with "Resource ... doesn't exist".

cqlsh> REVOKE ALL ON SUBMISSION 'app-20190519161729-0004' IN WORKPOOL 'Analytics.default' FROM sparkrole ;
InvalidRequest: Error from server: code=2200 [Invalid query] \
  message="Resource <submission app-20190519161729-0004 in work pool default in Analytics> doesn't exist"

Cause

A Spark permission is considered valid when an equivalent entry exists in the shared DSE resource manager table dse_analytics.rm_shared_data.

In the example above, the permissions on the resource app-20190210100644-0850 cannot be revoked because it does not exist in the dse_analytics.rm_shared_data table. The respective entries in the system_auth.role_permissions table are orphaned since they do not have matching entries in the shared Analytics table.

Workaround

To revoke the stale permissions, manually delete the entries in the system_auth.role_permissions table:

cqlsh> DELETE FROM system_auth.role_permissions WHERE role='sparkrole' AND resource = 'any_submission_in_any_workpool_in_any_dc/Analytics/default/app-20190519161729-0004' ; 

 

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles

Didn’t find what you’re looking for?

SUBMIT A TICKET