[jira] [Commented] (SAMZA-727) Support for Kerberos

Mon, 01 Feb 2016 10:14:28 -0800 

    [ 
https://issues.apache.org/jira/browse/SAMZA-727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15126695#comment-15126695
 ] 

Yi Pan (Data Infrastructure) commented on SAMZA-727:
----------------------------------------------------

[[email protected]], thanks for the feedback. Let me put down some of my 
thoughts here:

# Samza jobs are usually stateful jobs and have implemented at least once retry 
logic in case of failure and job restarts. Hence, it is reasonable to assume 
that AM for Samza application can cope with restarts w/o losing work, although 
I would agree that it is still not ideal.
# Ideally, what we want is that the AM can also refresh/renew the keytab and 
refresh the token w/ RM periodically. Also, the containers need to get renewed 
delegation tokens from AM as well. Job restarts during the refresh is not 
ideal, but tolerable if there are no better solution.

Given the above, do you still think the current patch does not work for the 
long-running Samza jobs? Correct me if I am mistaken, I think that the ideal 
solution seems to be:

# Have a keytab distribution service (i.e. the [AM keytab + renewal and 
forwarding of Delegation Tokens to 
containers|https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/yarn.html])
 to allow AM to acquire the keytab (maybe via https?)
# AM uses the keytab to keep connection w/ RM
# AM delivers/renews the delegation tokens to containers when restarting the 
containers, assuming that the running container does not need to re-new the 
security context as long as it is still running.

Does the above solution follows the guidance in YARN Kerboros integration? 
Please help to point out the possible holes here.

Thanks a lot!

> Support for Kerberos
> --------------------
>
>                 Key: SAMZA-727
>                 URL: https://issues.apache.org/jira/browse/SAMZA-727
>             Project: Samza
>          Issue Type: New Feature
>          Components: yarn
>    Affects Versions: 0.9.0
>         Environment: YARN with Kerberos
>            Reporter: Qi FU
>            Assignee: Chen Song
>             Fix For: 0.10.1
>
>         Attachments: SAMZA-727.patch
>
>
> Samza doesn't support Kerberos, which is very common for YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to