[
https://issues.apache.org/jira/browse/SAMZA-727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15128150#comment-15128150
]
Steve Loughran commented on SAMZA-727:
--------------------------------------
In YARN-4653 I've actually tried to write down all that a YARN app has to do on
the topic of kerberos
Here's the document:
https://github.com/steveloughran/hadoop/blob/HADOOP-12649-security/YARN-4653-yarn/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-site/src/site/markdown/YarnApplicationSecurity.md
# For a short lived application, propagating tokens from client -> AM- >
containers is the tactic, though I've just discovered the oozie complications
there.
# For long lived work, keytab in AM and token propagation solves the problem,
at the cost of having to get keytabs off the security ops team.
# if you can also support token refresh in a client , forwarding to AM and
propagation to containers, then you also support deployment without keytabs, in
which oozie does the work of getting the tokens and passing them on.
Item #3 is extra work, to code and test, so I'd not rush to do it. But you way
want to think about how you'd implement your AM to support it.
> Support for Kerberos
> --------------------
>
> Key: SAMZA-727
> URL: https://issues.apache.org/jira/browse/SAMZA-727
> Project: Samza
> Issue Type: New Feature
> Components: yarn
> Affects Versions: 0.9.0
> Environment: YARN with Kerberos
> Reporter: Qi FU
> Assignee: Chen Song
> Fix For: 0.10.1
>
> Attachments: SAMZA-727.patch
>
>
> Samza doesn't support Kerberos, which is very common for YARN cluster.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
