Summary
This article relates to an issue where revoking permissions on a Spark submission fails.
Applies to
- DataStax Enterprise 6.7.x
- DataStax Enterprise 6.0.x
- DataStax Enterprise 5.1.x
Symptom
Example permissions for a completed job:
admin@cqlsh> LIST ALL PERMISSIONS OF sparkrole; role | username | resource | permission | granted | restricted | grantable -----------+-----------+------------------------------------------------------------------------+------------+---------+------------+-----------
... sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | MODIFY | True | False | False sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | AUTHORIZE | True | False | False sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | DESCRIBE | True | False | False ...
Where a role has stale permissions, attempts to revoke all the permissions on the application ID fails with "Resource ... doesn't exist".
cqlsh> REVOKE ALL ON SUBMISSION 'app-20190519161729-0004' IN WORKPOOL 'Analytics.default' FROM sparkrole ; InvalidRequest: Error from server: code=2200 [Invalid query] \ message="Resource <submission app-20190519161729-0004 in work pool default in Analytics> doesn't exist"
Cause
A Spark permission is considered valid when an equivalent entry exists in the shared DSE resource manager table dse_analytics.rm_shared_data
.
In the example above, the permissions on the resource app-20190210100644-0850
cannot be revoked because it does not exist in the dse_analytics.rm_shared_data
table. The respective entries in the system_auth.role_permissions
table are orphaned since they do not have matching entries in the shared Analytics table.
Workaround
To revoke the stale permissions, manually delete the entries in the system_auth.role_permissions
table:
cqlsh> DELETE FROM system_auth.role_permissions WHERE role='sparkrole' AND resource = 'any_submission_in_any_workpool_in_any_dc/Analytics/default/app-20190519161729-0004' ;