[jira] [Commented] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal

Tue, 16 Oct 2018 07:25:19 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651800#comment-16651800
 ] 

Marco Gaido commented on SPARK-25732:
-------------------------------------

[~tgraves] I think they can be reused, the point is that it may be confusing 
that:
{code}
kinit -kt super.keytab [email protected]
spark-submit --principal [email protected] --keytab hdfs:///a.keytab 
--proxy-user a
{code}
runs with user {{super}} impersonating user {{a}}, while
{code}
kinit -kt super.keytab [email protected]
spark-submit --principal [email protected] --keytab hdfs:///a.keytab
{code}
runs with user {{a}}. So the reason why I was proposing different configs is 
for clarity of the end user.

I think the other point is that giving to the external systems the 
responsibility of pushing tokens can cause an indefinite number of issues and 
it is going to be hard to understand where the responsibility is. Centralizing 
the responsibility in Spark, would allow all these intermediate systems to work 
properly without any issue. 


> Allow specifying a keytab/principal for proxy user for token renewal 
> ---------------------------------------------------------------------
>
>                 Key: SPARK-25732
>                 URL: https://issues.apache.org/jira/browse/SPARK-25732
>             Project: Spark
>          Issue Type: Improvement
>          Components: Deploy
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the 
> lack of token renewal. In order to enable it, we need the the 
> keytab/principal of the impersonated user to be specified, in order to have 
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and 
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also 
> in a distributed FS, so that applications can be submitted by servers (eg. 
> Livy, Zeppelin) without needing all users' principals being on that machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to