Versions
In Spark 2.3.1-2.2.1-2 and later, these topics have been divided up among the Getting Started and Security sections. Previous versions will still need the information below.
Configuring DC/OS Access
This topic describes how to configure DC/OS access for Spark. Depending on your security mode, Spark requires service authentication for access to DC/OS.
Security mode | Service Account |
---|---|
Disabled | Not available |
Permissive | Optional |
Strict | Required |
If you install a service in permissive
mode and do not specify a service account, Metronome and Marathon will act as if requests made by this service are made by an account with the superuser permission.
Prerequisites
- DC/OS CLI installed and be logged in as a superuser.
- Enterprise DC/OS CLI 0.4.14 or later installed.
- If your security mode is
permissive
orstrict
, you must get the root cert before issuing the curl commands in this section.
Set permissions
You must set the following permissions if you want to execute a Spark job (dcos spark run
) from outside of the DC/OS cluster:
dcos:adminrouter:service:marathon full
dcos:adminrouter:service:spark full
dcos:service:marathon:marathon:services:/spark read
Replace spark
when setting these permissions with the appropriate service name if you are not using the default service name.
Create a key pair
In this step, a 2048-bit RSA public-private key pair is created using the Enterprise DC/OS CLI (install with dcos package install dcos-enterprise-cli
if you haven’t already).
Create a public-private key pair and save each value into a separate file within the current directory.
dcos security org service-accounts keypair <private-key>.pem <public-key>.pem
Create a service account
From a terminal prompt, create a new service account (<service-account-id>
) containing the public key (<your-public-key>.pem
).
dcos security org service-accounts create -p <your-public-key>.pem -d "Spark service account" <service-account-id>
Use the following command to verify your new service account.
dcos security org service-accounts show <service-account-id>
Create a secret
Create a secret (spark/<secret-name>
) with your service account (<service-account-id>
) and private key specified (<private-key>.pem
).
Permissive
dcos security secrets create-sa-secret <private-key>.pem <service-account-id> spark/<secret-name>
Strict
dcos security secrets create-sa-secret --strict <private-key>.pem <service-account-id> spark/<secret-name>
Use the following command to list the secrets.
dcos security secrets list /
Create and assign permissions
Use the following curl commands to rapidly provision the Spark service account with the required permissions. This can also be done through the UI.
Tips:
- Any
/
character in a resource must be replaced with%252F
before it can be passed in a curl command. - When using the API to manage permissions, you must first create the permissions and then assign them. Sometimes, the permission may already exist. In this case, the API returns an informative message. You can consider this as a confirmation and continue to the next command.
-
Create the permissions. Some of these permissions may exist already.
If you want to override the default Spark role, you must modify these code samples accordingly.
curl -X PUT --cacert dcos-ca.crt \ -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:user:nobody \ -d '{"description":"Allows Linux user nobody to execute tasks"}' \ -H 'Content-Type: application/json' curl -X PUT --cacert dcos-ca.crt \ -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:framework:role:* \ -d '{"description":"Allows a framework to register with the Mesos master using the Mesos default role"}' \ -H 'Content-Type: application/json' curl -X PUT -k \ -H "Authorization: token=$(dcos config show core.dcos_acs_token)" "$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:app_id:%252Fspark" \ -d '{"description":"Allow to read the task state"}' \ -H 'Content-Type: application/json'
-
Grant the permissions and the allowed actions to the service account using the following commands.
Run these commands with your service account name (
<service-account-id>
) specified.curl -X PUT -k \ -H "Authorization: token=$(dcos config show core.dcos_acs_token)" "$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:framework:role:*/users/<service-account-id>/create" curl -X PUT -k \ -H "Authorization: token=$(dcos config show core.dcos_acs_token)" "$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:app_id:%252Fspark/users/<service-account-id>/create" curl -X PUT -k \ -H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:user:nobody/users/<service-account-id>/create
If you are setting permissions to execute Spark jobs from outside of the DC/OS cluster, see Set permissions for jobs running outside of the cluster.
Create a configuration file
Create a custom configuration file that will be used to install Spark and save as config.json
.
Specify the service account (<service-account-id>
) and secret (spark/<secret-name>
).
{
"service": {
"service_account": "<service-account-id>",
"user": "nobody",
"service_account_secret": "spark/<secret_name>"
}
}
Install Spark
Now, Spark can be installed with this command:
dcos package install --options=config.json spark
Use the following command to give Marathon the appropriate permissions.
curl -X PUT -k \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:mesos:master:task:user:root/users/dcos_marathon/create
Run Spark jobs
To run a job on a strict mode cluster, you must add the principal
to the command line.
For example:
dcos spark run --verbose --submit-args=" \
--conf spark.mesos.principal=spark-principal \
--conf spark.mesos.containerizer=mesos \
--class org.apache.spark.examples.SparkPi http://downloads.mesosphere.com/spark/assets/spark-examples_2.11-2.4.0.jar 100"
If you want to use the Docker Engine instead of the Universal Container Runtime, you must specify the user through the SPARK_USER
environment variable:
dcos spark run --verbose --submit-args="\
--conf spark.mesos.principal=spark-principal \
--conf spark.mesos.driverEnv.SPARK_USER=nobody \
--class org.apache.spark.examples.SparkPi http://downloads.mesosphere.com/spark/assets/spark-examples_2.11-2.4.0.jar 100"