diff --git a/core/src/main/scala/org/apache/spark/SecurityManager.scala b/core/src/main/scala/org/apache/spark/SecurityManager.scala
index 673ef49e7c1c599591ff17eeb958756b27aaeb44..746d2081d43936c989f8d1cb538e30819f2d7160 100644
--- a/core/src/main/scala/org/apache/spark/SecurityManager.scala
+++ b/core/src/main/scala/org/apache/spark/SecurityManager.scala
@@ -310,7 +310,16 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
setViewAcls(Set[String](defaultUser), allowedUsers)
}
- def getViewAcls: String = viewAcls.mkString(",")
+ /**
+ * Checking the existence of "*" is necessary as YARN can't recognize the "*" in "defaultuser,*"
+ */
+ def getViewAcls: String = {
+ if (viewAcls.contains("*")) {
+ "*"
+ } else {
+ viewAcls.mkString(",")
+ }
+ }
/**
* Admin acls should be set before the view or modify acls. If you modify the admin
@@ -321,7 +330,16 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
logInfo("Changing modify acls to: " + modifyAcls.mkString(","))
}
- def getModifyAcls: String = modifyAcls.mkString(",")
+ /**
+ * Checking the existence of "*" is necessary as YARN can't recognize the "*" in "defaultuser,*"
+ */
+ def getModifyAcls: String = {
+ if (modifyAcls.contains("*")) {
+ "*"
+ } else {
+ modifyAcls.mkString(",")
+ }
+ }
/**
* Admin acls should be set before the view or modify acls. If you modify the admin
@@ -394,7 +412,7 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
def checkUIViewPermissions(user: String): Boolean = {
logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " viewAcls=" +
viewAcls.mkString(","))
- !aclsEnabled || user == null || viewAcls.contains(user)
+ !aclsEnabled || user == null || viewAcls.contains(user) || viewAcls.contains("*")
}
/**
@@ -409,7 +427,7 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
def checkModifyPermissions(user: String): Boolean = {
logDebug("user=" + user + " aclsEnabled=" + aclsEnabled() + " modifyAcls=" +
modifyAcls.mkString(","))
- !aclsEnabled || user == null || modifyAcls.contains(user)
+ !aclsEnabled || user == null || modifyAcls.contains(user) || modifyAcls.contains("*")
}
diff --git a/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala b/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
index f34aefca4eb1843969e60db851bc1e823071b5c8..f29160d83408244a04b817d304ac076591f9b3af 100644
--- a/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
+++ b/core/src/test/scala/org/apache/spark/SecurityManagerSuite.scala
@@ -125,6 +125,47 @@ class SecurityManagerSuite extends SparkFunSuite {
}
+ test("set security with * in acls") {
+ val conf = new SparkConf
+ conf.set("spark.ui.acls.enable", "true")
+ conf.set("spark.admin.acls", "user1,user2")
+ conf.set("spark.ui.view.acls", "*")
+ conf.set("spark.modify.acls", "user4")
+
+ val securityManager = new SecurityManager(conf)
+ assert(securityManager.aclsEnabled() === true)
+
+ // check for viewAcls with *
+ assert(securityManager.checkUIViewPermissions("user1") === true)
+ assert(securityManager.checkUIViewPermissions("user5") === true)
+ assert(securityManager.checkUIViewPermissions("user6") === true)
+ assert(securityManager.checkModifyPermissions("user4") === true)
+ assert(securityManager.checkModifyPermissions("user7") === false)
+ assert(securityManager.checkModifyPermissions("user8") === false)
+
+ // check for modifyAcls with *
+ securityManager.setModifyAcls(Set("user4"), "*")
+ assert(securityManager.checkModifyPermissions("user7") === true)
+ assert(securityManager.checkModifyPermissions("user8") === true)
+
+ securityManager.setAdminAcls("user1,user2")
+ securityManager.setModifyAcls(Set("user1"), "user2")
+ securityManager.setViewAcls(Set("user1"), "user2")
+ assert(securityManager.checkUIViewPermissions("user5") === false)
+ assert(securityManager.checkUIViewPermissions("user6") === false)
+ assert(securityManager.checkModifyPermissions("user7") === false)
+ assert(securityManager.checkModifyPermissions("user8") === false)
+
+ // check for adminAcls with *
+ securityManager.setAdminAcls("user1,*")
+ securityManager.setModifyAcls(Set("user1"), "user2")
+ securityManager.setViewAcls(Set("user1"), "user2")
+ assert(securityManager.checkUIViewPermissions("user5") === true)
+ assert(securityManager.checkUIViewPermissions("user6") === true)
+ assert(securityManager.checkModifyPermissions("user7") === true)
+ assert(securityManager.checkModifyPermissions("user8") === true)
+ }
+
test("ssl on setup") {
val conf = SSLSampleConfigs.sparkSSLConfig()
val expectedAlgorithms = Set(
diff --git a/docs/configuration.md b/docs/configuration.md
index 77c5cbc7b3196bee6167bf77b91b3fcf03005c1b..fb0315ce7c3cc9a3d36f2cf5647ee1b140ac48c9 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -1286,7 +1286,8 @@ Apart from these, the following properties are also available, and may be useful
<td>
Comma separated list of users/administrators that have view and modify access to all Spark jobs.
This can be used if you run on a shared cluster and have a set of administrators or devs who
- help debug when things work.
+ help debug when things work. Putting a "*" in the list means any user can have the priviledge
+ of admin.
</td>
</tr>
<tr>
@@ -1327,7 +1328,8 @@ Apart from these, the following properties are also available, and may be useful
<td>Empty</td>
<td>
Comma separated list of users that have modify access to the Spark job. By default only the
- user that started the Spark job has access to modify it (kill it for example).
+ user that started the Spark job has access to modify it (kill it for example). Putting a "*" in
+ the list means any user can have access to modify it.
</td>
</tr>
<tr>
@@ -1349,7 +1351,8 @@ Apart from these, the following properties are also available, and may be useful
<td>Empty</td>
<td>
Comma separated list of users that have view access to the Spark web ui. By default only the
- user that started the Spark job has view access.
+ user that started the Spark job has view access. Putting a "*" in the list means any user can
+ have view access to this Spark job.
</td>
</tr>
</table>