[
https://issues.apache.org/jira/browse/SPARK-16742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963583#comment-15963583
]
Michael Gummelt commented on SPARK-16742:
-----------------------------------------
bq. That sounds problematic. The way YARN works is that it actually
authenticates the user. Are you saying that Mesos doesn't do user
authentication?
AFAICT, YARN doesn't authenticate the Linux user. The KDC authenticates the
kerberos principal, and YARN maps this principal to a Linux user via
{{hadoop.security.auth_to_local}}. So if a user authenticated to the KDC via a
principal "Joe", and the {{auth_to_local}} rule maps "Joe" to "root", then
"Joe" can launch processes as "root", even though he never provided "root"
credentials. It's up to the cluster administrator to properly setup this
Kerberos -> Linux mapping.
It's a similar story with Mesos. Mesos doesn't authenticate the Linux user.
It authenticates the Mesos principal, and this principal is allowed to launch
processes only as certain Linux users. It's up the cluster admin to setup this
mapping appropriately.
The big difference is that, by default, YARN will map the kerberos principal to
the linux user with the same name, so there's no problem. Whereas Mesos will
allow the driver to launch executors as any user that their Mesos principal is
allowed to launch users as. So it's up to the admin to only provide users with
consistent Mesos and Kerberos credentials.
bq. Are you saying that for YARN or Mesos? When YARN runs in Kerberos mode,
Kerberos dictates the user.
I'm talking about YARN. See the above comment. If {{auth_to_local}} is used
like I think it is, then that's what ultimately determines the Linux user, not
just Kerberos.
bq. The use case you mention ("user starting an application in cluster mode
with no kerberos credentials") sounds actually worrying
I actually said a "user might not be kinit'd". They may, however, have access
to the keytab. But since they're not on the same network as the KDC, they
can't authenticate directly. But they do have the creds.
> Kerberos support for Spark on Mesos
> -----------------------------------
>
> Key: SPARK-16742
> URL: https://issues.apache.org/jira/browse/SPARK-16742
> Project: Spark
> Issue Type: New Feature
> Components: Mesos
> Reporter: Michael Gummelt
>
> We at Mesosphere have written Kerberos support for Spark on Mesos. We'll be
> contributing it to Apache Spark soon.
> Mesosphere design doc:
> https://docs.google.com/document/d/1xyzICg7SIaugCEcB4w1vBWp24UDkyJ1Pyt2jtnREFqc/edit#heading=h.tdnq7wilqrj6
> Mesosphere code:
> https://github.com/mesosphere/spark/commit/73ba2ab8d97510d5475ef9a48c673ce34f7173fa
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
