i was testing using the acl for spark ui in secure mode on yarn in client mode.
it works great. my spark 1.0.0 configuration has: spark.authenticate = true spark.ui.acls.enable = true spark.ui.view.acls = koert spark.ui.filters = org.apache.hadoop.security.authentication.server.AuthenticationFilter spark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params="type=kerberos,kerberos.principal=HTTP/mybox@MYDOMAIN ,kerberos.keytab=/some/keytab" i confirmed that i can access the ui from firefox after doing kinit. however i also saw this in the logs of my driver program: 2014-07-07 17:21:56 DEBUG server.Server: RESPONSE /broadcast_0 401 handled=true and 2014-07-07 17:21:56 DEBUG server.Server: REQUEST /jars/somejar-assembly-0.1-SNAPSHOT.jar on BlockingHttpConnection@3d6396f5 ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParse\ r{s=-5,l=10,c=0},r=1 2014-07-07 17:21:56 DEBUG server.Server: RESPONSE /jars/somejar-assembly-0.1-SNAPSHOT.jar 401 handled=true what does this mean? is the webserver also responsible for handing out other stuff such as broadcast variables and jars, and is this now being rejected by my servlet filter? thats not good... the 401 response is exactly the same one i see when i try to access the website after kdestroy. for example: 2014-07-07 17:35:08 DEBUG server.AuthenticationFilter: Request [ http://mybox:5001/] triggering authentication 2014-07-07 17:35:08 DEBUG server.Server: RESPONSE / 401 handled=true