[
https://issues.apache.org/jira/browse/SPARK-23790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stavros Kontopoulos updated SPARK-23790:
----------------------------------------
Description:
This appeared at a customer trying to integrate with a kerberized hdfs cluster.
This is easily fixed with the proposed fix
[here|https://github.com/apache/spark/pull/17333].
The other option is to add the delegation tokens to the current user's UGI as
in [here|https://github.com/apache/spark/pull/17335] . The last fixes the
problem but leads to a failure when someones uses a HadoopRDD because the
latter, uses FileInputFormat to get the splits which calls the local ticket
cache TokenCache.obtainTokensForNamenodes. Eventually this will fail with:
Exception in thread "main"
org.apache.hadoop.ipc.RemoteException(java.io.IOException): Delegation Token
can be issued only with kerberos or web authentication
at
org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getDelegationToken(FSNamesystem.java:5896)
This implies that security mode is SIMPLE and hadoop libs there are not aware
of kerberos.
This is related to this[
issue|https://issues.apache.org/jira/browse/MAPREDUCE-6876] where we had some
issues in the past and the workaround decided is to
[trick|https://github.com/apache/spark/blob/a33655348c4066d9c1d8ad2055aadfbc892ba7fd/core/src/main/scala/org/apache/spark/deploy/SparkSubmit.scala#L795-L804]
hadoop.
was:
This appeared at a customer trying to integrate with a kerberized hdfs cluster.
This is easily fixed with the proposed fix here:
[https://github.com/apache/spark/pull/17333]
The other option is to add the delegation tokens to the current user's UGI as
in here: [https://github.com/apache/spark/pull/17335]. The last fixes the
problem but leads to a failure when someones uses a HadoopRDD because the
latter, uses FileInputFormat to get the splits which calls the local ticket
cache TokenCache.obtainTokensForNamenodes. Eventually this will fail with:
Exception in thread "main"
org.apache.hadoop.ipc.RemoteException(java.io.IOException): Delegation Token
can be issued only with kerberos or web authentication
at
org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getDelegationToken(FSNamesystem.java:5896)
This implies that security mode is SIMPLE and hadoop libs there are not aware
of kerberos.
This is related to this issue:
https://issues.apache.org/jira/browse/MAPREDUCE-6876
> proxy-user failed connecting to a kerberos configured metastore
> ---------------------------------------------------------------
>
> Key: SPARK-23790
> URL: https://issues.apache.org/jira/browse/SPARK-23790
> Project: Spark
> Issue Type: Bug
> Components: Mesos
> Affects Versions: 2.3.0
> Reporter: Stavros Kontopoulos
> Priority: Major
>
> This appeared at a customer trying to integrate with a kerberized hdfs
> cluster.
> This is easily fixed with the proposed fix
> [here|https://github.com/apache/spark/pull/17333].
> The other option is to add the delegation tokens to the current user's UGI as
> in [here|https://github.com/apache/spark/pull/17335] . The last fixes the
> problem but leads to a failure when someones uses a HadoopRDD because the
> latter, uses FileInputFormat to get the splits which calls the local ticket
> cache TokenCache.obtainTokensForNamenodes. Eventually this will fail with:
> Exception in thread "main"
> org.apache.hadoop.ipc.RemoteException(java.io.IOException): Delegation Token
> can be issued only with kerberos or web authentication
> at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getDelegationToken(FSNamesystem.java:5896)
> This implies that security mode is SIMPLE and hadoop libs there are not aware
> of kerberos.
> This is related to this[
> issue|https://issues.apache.org/jira/browse/MAPREDUCE-6876] where we had
> some issues in the past and the workaround decided is to
> [trick|https://github.com/apache/spark/blob/a33655348c4066d9c1d8ad2055aadfbc892ba7fd/core/src/main/scala/org/apache/spark/deploy/SparkSubmit.scala#L795-L804]
> hadoop.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
