I just wanted to bump this to see if anyone has any opinions on this? On Fri, Feb 28, 2020 at 3:20 PM Lars Francke <lars.fran...@gmail.com> wrote:
> Hi, > > I understand that we forbid specifying "principal" & "proxy user" at the > same time because the current logic would just stage the keytab and the > proxy user could then use that to gain full access circumventing any > security. > > But we have a use-case for Livy where a different semantic would be great: > Livy is supposed to submit a job for other users. It does so by specifying > "proxy user" and it relies on the local credential cache (outside of Java) > to contain the proper tickets (it runs kinit in a background thread). > > This will only work if Livy runs in an environment where it's the only > user working with that credentials cache. Unfortunately that's not always > the case when multiple services share the same user. > > (One thing we'll try is to use the KRB5CCNAME environment variable to > point to a different Credential Cache for Livy but I'm not sure yet if > that's being passed on to the spawned Spark process) > > Can we not allow specifying a keytab and principal together with proxy > user but those are only used for the initial login to submit the job and > are not shipped to the cluster? This way jobs wouldn't need to rely on the > operating system. > > Maybe I'm missing something as well? > > Cheers, > Lars >
