We at Mesosphere have a proprietary implementation of Kerberos ticket forwarding using various Mesos hooks/modules, but this is specific to a particular customer use case. We're actively working on a way to pass keytabs/credentials to spark-submit so that it can forward them on to HDFS or other services. While this is still a specific use case (Spark -> HDFS), we're exploring how to generalize this approach beyond just Kerberos.
On Wed, Feb 10, 2016 at 5:56 PM, <[email protected]> wrote: > Hello guys, > > I wanted to follow up a little further on today’s Hangouts call about > Kerberos. For everyone else who may have not been on the call the idea is > if you have Spark, Myriad and some task running top of Mesos and it needs > access to some third party service like HDFS that needs kerberos > credentials how will that work? > > Adam has mentioned one solution he’s seen. This was to have credentials > cached on the master that will then intercept the calls and annotate the > task with their credentials and wrap the calls with something that unwraps > the credentials and puts it into place to authenticate. This will require > update the TGT as they expire. > > Adam, you’ve mentioned that is Mesosphere doing in this space as well, do > you know if that is specific to Kerberos or something else? Any other > suggestion will be helpful! > > Thanks! > > > *Known Jiras regarding this adding kerberos support for Mesos > > https://issues.apache.org/jira/browse/MESOS-907 > > > Miguel Bernadin Accenture Technology Labs – System Engineering > Contact: W (408) 817-2742 | M (631) 835-6345 | > [email protected]<mailto:[email protected]> > > ________________________________ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. > > ______________________________________________________________________________________ > > www.accenture.com >
