Support Policy      Security Notices
  1. DataStax Support
  2. DataStax Enterprise
  3. Analytics

REVOKE command on Spark submissions fail with "resource doesn't exist"

Follow

Summary

This article relates to an issue where revoking permissions on a Spark submission fails.

Applies to

  • DataStax Enterprise 6.7.x
  • DataStax Enterprise 6.0.x
  • DataStax Enterprise 5.1.x

Symptom

Example permissions for a completed job:

admin@cqlsh> LIST ALL PERMISSIONS OF sparkrole;
 role      | username  | resource                                                               | permission | granted | restricted | grantable
-----------+-----------+------------------------------------------------------------------------+------------+---------+------------+-----------
 ...
 sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | MODIFY     | True    | False      | False
 sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | AUTHORIZE  | True    | False      | False
 sparkrole | sparkrole | <submission app-20190519161729-0004 in work pool default in Analytics> | DESCRIBE   | True    | False      | False
 ...

Where a role has stale permissions, attempts to revoke all the permissions on the application ID fails with "Resource ... doesn't exist".

cqlsh> REVOKE ALL ON SUBMISSION 'app-20190519161729-0004' IN WORKPOOL 'Analytics.default' FROM sparkrole ;
InvalidRequest: Error from server: code=2200 [Invalid query] \
  message="Resource <submission app-20190519161729-0004 in work pool default in Analytics> doesn't exist"

Cause

A Spark permission is considered valid when an equivalent entry exists in the shared DSE resource manager table dse_analytics.rm_shared_data.

In the example above, the permissions on the resource app-20190210100644-0850 cannot be revoked because it does not exist in the dse_analytics.rm_shared_data table. The respective entries in the system_auth.role_permissions table are orphaned since they do not have matching entries in the shared Analytics table.

Workaround

To revoke the stale permissions, manually delete the entries in the system_auth.role_permissions table:

cqlsh> DELETE FROM system_auth.role_permissions WHERE role='sparkrole' AND resource = 'any_submission_in_any_workpool_in_any_dc/Analytics/default/app-20190519161729-0004' ; 

 

Erick Ramirez
Created: 2019-06-03 06:22:22 UTC
Last Update: 2019-08-13 08:59:11 UTC

Related articles

Comments

0 comments

Please sign in to leave a comment.