(fixed bad formatting)
Hi,
Given the other thread about per-job Kerberos identity, now's a good time to
discuss some problems with the current delegation-token approach, since the
answer could bear on the per-job enhancement.
I see two problems:
1. Delegation tokens expire. For a continuous streaming job to survive, the
original keytab is needed to re-authenticate. Spark Streaming solved this
problem with `--keytab` on spark-submit (see AMDelegationTokenRenewer.scala).
2. Kafka doesn't support delegation tokens yet (see KIP-48 and KAFKA-1696).
Thoughts? Thanks!
- Eron Wright
