Support Policy      Security Notices
  1. DataStax Support
  2. DataStax Enterprise
  3. Analytics

Spark Master web UI prompts for login credentials after upgrading to DSE 5.1 or later

Follow

Summary

This article discussed a situation where users who try to access the Spark Master web interface on an upgraded cluster are prompted to enter credentials to login.

Applies to

  • DataStax Enterprise 6.7
  • DataStax Enterprise 6.0
  • DataStax Enterprise 5.1

Symptom

After upgrading an Analytics node, users who try to access the Spark Master web interface (for example http://10.101.32.168:7080/) are prompted with a login box. Versions earlier than DSE 5.1 did not require authentication. Below is an example of a sign in dialog box:

t54715_login.png

If users do not provide credentials, a HTTP 401 unauthorized error occurs with a message like:

Problem accessing /. Reason:
    Authentication is required to access this resource

Providing incorrect credentials will return the following error:

Problem accessing /. Reason:
    Authentication failed

Cause

A new security feature was added in DSE 5.1.0 which leverages DSE Advanced Security to secure cluster components and services. If DSE Unified Authentication is enabled with LDAP or internal authentication, users will be prompted for login credentials when accessing the Spark Master web interface. See DSP-11311 in the 5.1.0 DSE Analytics changes and enhancements section of the release notes.

Note that Kerberos authentication is not supported in the Spark web interface.

Workaround

Spark web interface basic HTTP authentication supports only LDAP and internal authentication. For clusters which use only Kerberos, disable the Spark web UI authentication by following the steps below.

STEP 1 - On the first DSE Analytics node, modify the Spark daemon configuration file. For DSE package installations:

$ vi /etc/dse/spark/spark-daemon-defaults.conf

For DSE tarball installations:

$ vi <path_to_installation>/resources/spark/conf/spark-daemon-defaults.conf

STEP 2 - Disable the SparkUIAuthFilter by commenting out (add a # at the start) or removing the following line:

spark.ui.filters      com.datastax.bdp.auth.SparkUIAuthFilter

STEP 3 - Restart DSE on the node for the change to take effect.

If the authentication filter has been disabled correctly, there should not be an entry like this in the logs:

INFO [dispatcher-event-loop-1] 2019-07-28 16:20:18,438 Logging.scala:54 - \
  Adding filter: com.datastax.bdp.auth.SparkUIAuthFilter

STEP 4 - Repeat the steps above on the next node until all DSE Analytics node have been done.

See also

Docs - Monitoring Spark with the web interface

Erick Ramirez
Created: 2019-07-28 05:27:42 UTC
Last Update: 2019-08-29 01:14:47 UTC

Related articles

Comments

0 comments

Please sign in to leave a comment.