Skip to content

NGSOK-1852 Backport AuthenticationFilter and add MetricsAuthFilter to path-scope auth on the Spark UI#50

Merged
giggsoff merged 2 commits into
develop/4.3.0/3.5.4.4from
feature/3/NGSOK-1852
Jul 10, 2026
Merged

NGSOK-1852 Backport AuthenticationFilter and add MetricsAuthFilter to path-scope auth on the Spark UI#50
giggsoff merged 2 commits into
develop/4.3.0/3.5.4.4from
feature/3/NGSOK-1852

Conversation

@giggsoff

@giggsoff giggsoff commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Spark's HTTP security is UI-wide: spark.ui.filters, the ACLs and the TLS connector all apply to every path served by the Spark UI, so there is no built-in way to require a bearer token on /metrics/* while leaving the human UI on Kerberos. A Prometheus/vmagent scraper cannot perform SPNEGO, so a UI-wide SPNEGO filter would block scraping outright.

MetricsAuthFilter is a single spark.ui.filters filter that dispatches by path: bearer-guarded (or open) for /metrics/*, and an optional delegate to Hadoop's javax AuthenticationFilter (SPNEGO/pseudo) for the rest of the UI. Spark 3.5's UI is javax.servlet, so Hadoop's own AuthenticationFilter plugs in directly - no Spark wrapper is needed, unlike Spark 4 whose jakarta UI requires one. The delegate is loaded reflectively so this compiles against the shaded hadoop-client-api while the unshaded hadoop-auth supplies the real filter at runtime.

Ships in spark-core, configured via
spark.org.apache.spark.filter.MetricsAuthFilter.param.*. Both this filter and using Hadoop's AuthenticationFilter directly are documented in docs/security.md.

Spark's HTTP security is UI-wide: spark.ui.filters, the ACLs and the TLS
connector all apply to every path served by the Spark UI, so there is no
built-in way to require a bearer token on /metrics/* while leaving the human
UI on Kerberos. A Prometheus/vmagent scraper cannot perform SPNEGO, so a
UI-wide SPNEGO filter would block scraping outright.

MetricsAuthFilter is a single spark.ui.filters filter that dispatches by path:
bearer-guarded (or open) for /metrics/*, and an optional delegate to Hadoop's
javax AuthenticationFilter (SPNEGO/pseudo) for the rest of the UI. Spark 3.5's
UI is javax.servlet, so Hadoop's own AuthenticationFilter plugs in directly - no
Spark wrapper is needed, unlike Spark 4 whose jakarta UI requires one. The
delegate is loaded reflectively so this compiles against the shaded
hadoop-client-api while the unshaded hadoop-auth supplies the real filter at
runtime.

Ships in spark-core, configured via
spark.org.apache.spark.filter.MetricsAuthFilter.param.*. Both this filter and
using Hadoop's AuthenticationFilter directly are documented in docs/security.md.
@giggsoff giggsoff self-assigned this Jul 8, 2026
@giggsoff giggsoff changed the title NGSOK-1852 Add MetricsAuthFilter to path-scope auth on the Spark UI NGSOK-1852 Backport AuthenticationFilter and add MetricsAuthFilter to path-scope auth on the Spark UI Jul 8, 2026
…ark 4

On Spark 3.5 the UI is javax.servlet, so Hadoop's own AuthenticationFilter can
protect the whole Web UI directly - no Spark class is strictly required (unlike
Spark 4, whose jakarta UI needs the org.apache.spark.filter.AuthenticationFilter
shim). This adds a thin org.apache.spark.filter.AuthenticationFilter that forwards
init/doFilter/destroy to Hadoop's javax filter (loaded reflectively to compile
against the shaded hadoop-client-api; the unshaded hadoop-auth supplies the real
filter at runtime).

Its only purpose is configuration parity: the same spark.ui.filters value and
spark.org.apache.spark.filter.AuthenticationFilter.param.* keys now work on Spark
3.5 and Spark 4 alike, and are shorter than naming Hadoop's class directly.
MetricsAuthFilter now delegates to this wrapper so both filters share one class.
docs/security.md updated accordingly.
@giggsoff giggsoff force-pushed the feature/3/NGSOK-1852 branch from 27afdb2 to c8eb05f Compare July 8, 2026 15:54
@giggsoff giggsoff requested review from Asmoday and werzerbb July 9, 2026 10:47
@giggsoff giggsoff merged commit 49dd02b into develop/4.3.0/3.5.4.4 Jul 10, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant