Spark Authentication¶
Table of Contents
Introduction¶
By default the ORA_APP_PASS
password will be exposed in clear-text on the Spark command line. If the password has been encrypted in offload.env
using Password Tool then it will be decrypted before being included on the Spark command line.
To prevent a clear password from being exposed on the Spark command line the following approach should be used.
Oracle Wallet¶
Using an Oracle Wallet removes the clear-text password from the Spark command line and stores the password in an encrypted key store.
Oracle PKI Libraries¶
The following JAR files should be copied from $ORACLE_HOME/jlib
to $SPARK_HOME/jars/
:
oraclepki.jar
osdt_cert.jar
osdt_core.jar
Create Oracle Wallet¶
On the Oracle Database server create the Oracle Wallet and add the Gluent Data Platform credential:
$ . $OFFLOAD_HOME/conf/offload.env
$ mkdir -p $OFFLOAD_HOME/../gluent_wallet
$ orapki wallet create -wallet $OFFLOAD_HOME/../gluent_wallet -auto_login -pwd <password>
$ mkstore -wrl "$OFFLOAD_HOME/../gluent_wallet" -createCredential "$ORA_CONN" "$ORA_APP_USER" <ora_app_pass>
Enter wallet password: <password>
Create credential oracle.security.client.connect_string1
$ orapki wallet display -wallet $OFFLOAD_HOME/../gluent_wallet -pwd <password>
...
Oracle Secret Store entries:
oracle.security.client.connect_string1
oracle.security.client.password1
oracle.security.client.username1
...
The value for <password>
should be replaced with a chosen password to protect the Oracle Wallet.
The value for <ora_app_pass>
should be replaced with the unencrypted value of ORA_APP_PASS
.
The Oracle Wallet needs to be propagated to all Oracle RAC servers on which Gluent Data Platform is installed.
Copy Oracle Wallet¶
On the Oracle Database server copy the Oracle Wallet to the offload transport host:
$ . $OFFLOAD_HOME/conf/offload.env
$ scp -r $OFFLOAD_HOME/../gluent_wallet ${OFFLOAD_TRANSPORT_USER}@${OFFLOAD_TRANSPORT_CMD_HOST}:/opt/gluent
SQLNet Profile Configuration¶
Add the following to the /opt/gluent/sqlnet.ora
file on the offload transport host:
SQLNET.WALLET_OVERRIDE=TRUE
WALLET_LOCATION=(SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/opt/gluent/gluent_wallet)))
Configure Spark Standalone¶
Edit $SPARK_HOME/conf/spark-defaults.conf
adding the following entries:
spark.driver.extraJavaOptions=-Doracle.net.wallet_location=/opt/gluent/gluent_wallet
spark.executor.extraJavaOptions=-Doracle.net.wallet_location=/opt/gluent/gluent_wallet
Note
If spark.driver.extraJavaOptions
or spark.executor.extraJavaOptions
are already present in the spark-defaults.conf
file then append the values above rather than overwriting the existing entries.
Restart Spark Standalone¶
For the changes to take effect Spark must be restarted. The examples below show how to restart Spark Standalone.
To stop Spark Standalone issue the following commands:
$ $SPARK_HOME/sbin/stop-all.sh
$ $SPARK_HOME/sbin/stop-history-server.sh
To start Spark Standalone manually, issue the following commands:
$ $SPARK_HOME/sbin/start-all.sh
$ $SPARK_HOME/sbin/start-history-server.sh
Update Gluent Data Platform Environment File¶
Set OFFLOAD_TRANSPORT_AUTH_USING_ORACLE_WALLET
to true
in offload.env
.
Important
Any changes made to the Gluent Data Platform environment file (offload.env
) must be propagated across all installations.