[ https://issues.apache.org/jira/browse/SPARK-16742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963583#comment-15963583 ]
Michael Gummelt commented on SPARK-16742: ----------------------------------------- bq. That sounds problematic. The way YARN works is that it actually authenticates the user. Are you saying that Mesos doesn't do user authentication? AFAICT, YARN doesn't authenticate the Linux user. The KDC authenticates the kerberos principal, and YARN maps this principal to a Linux user via {{hadoop.security.auth_to_local}}. So if a user authenticated to the KDC via a principal "Joe", and the {{auth_to_local}} rule maps "Joe" to "root", then "Joe" can launch processes as "root", even though he never provided "root" credentials. It's up to the cluster administrator to properly setup this Kerberos -> Linux mapping. It's a similar story with Mesos. Mesos doesn't authenticate the Linux user. It authenticates the Mesos principal, and this principal is allowed to launch processes only as certain Linux users. It's up the cluster admin to setup this mapping appropriately. The big difference is that, by default, YARN will map the kerberos principal to the linux user with the same name, so there's no problem. Whereas Mesos will allow the driver to launch executors as any user that their Mesos principal is allowed to launch users as. So it's up to the admin to only provide users with consistent Mesos and Kerberos credentials. bq. Are you saying that for YARN or Mesos? When YARN runs in Kerberos mode, Kerberos dictates the user. I'm talking about YARN. See the above comment. If {{auth_to_local}} is used like I think it is, then that's what ultimately determines the Linux user, not just Kerberos. bq. The use case you mention ("user starting an application in cluster mode with no kerberos credentials") sounds actually worrying I actually said a "user might not be kinit'd". They may, however, have access to the keytab. But since they're not on the same network as the KDC, they can't authenticate directly. But they do have the creds. > Kerberos support for Spark on Mesos > ----------------------------------- > > Key: SPARK-16742 > URL: https://issues.apache.org/jira/browse/SPARK-16742 > Project: Spark > Issue Type: New Feature > Components: Mesos > Reporter: Michael Gummelt > > We at Mesosphere have written Kerberos support for Spark on Mesos. We'll be > contributing it to Apache Spark soon. > Mesosphere design doc: > https://docs.google.com/document/d/1xyzICg7SIaugCEcB4w1vBWp24UDkyJ1Pyt2jtnREFqc/edit#heading=h.tdnq7wilqrj6 > Mesosphere code: > https://github.com/mesosphere/spark/commit/73ba2ab8d97510d5475ef9a48c673ce34f7173fa -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org