[
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650535#comment-16650535
]
Marcelo Vanzin commented on SPARK-25732:
----------------------------------------
I'd have preferred a system where Livy handles this for the users by
periodically creating new delegation tokens for them and sending them to Spark.
Saisai looked at something like this in the past, but distributing the tokens
to Spark was the main issue.
With Livy you already have an RPC channel to the Spark context, so maybe that
could be done? But it would probably still require some new API in Spark
itself...
If those paths don't work, then this would be no worse than what Spark already
has. Main issue is that you seem to be mixing keytab/principal with proxy user
and that doesn't work - Spark explicitly disallows that combination.
> Allow specifying a keytab/principal for proxy user for token renewal
> ---------------------------------------------------------------------
>
> Key: SPARK-25732
> URL: https://issues.apache.org/jira/browse/SPARK-25732
> Project: Spark
> Issue Type: Improvement
> Components: Deploy
> Affects Versions: 2.4.0
> Reporter: Marco Gaido
> Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the
> lack of token renewal. In order to enable it, we need the the
> keytab/principal of the impersonated user to be specified, in order to have
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also
> in a distributed FS, so that applications can be submitted by servers (eg.
> Livy, Zeppelin) without needing all users' principals being on that machine.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
