[jira] [Commented] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal

Tue, 16 Oct 2018 09:23:24 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16652029#comment-16652029
 ] 

Marcelo Vanzin commented on SPARK-25732:
----------------------------------------

bq. livy server would not know which data sources to fetch tokens for 

That is true. Two approaches that currently exist are Spark's (get tokens for 
everything it can, even if they won't be used) and Oozie's (I believe; make the 
user explicitly choose at submission time which tokens the app will need).

bq. So the reason why I was proposing different configs is for clarity of the 
end user.

Why would the user care how the Spark application is started by a service? And 
in the second case you would not need the kinit for the service account.

bq. I think the other point is that giving to the external systems the 
responsibility of pushing tokens can cause an indefinite number of issues 

It also solves two issues with the other approach: not everybody has a keytab, 
and those who do generally dislike their keytabs being sent around the network 
and stored in a bunch of places.

> Allow specifying a keytab/principal for proxy user for token renewal 
> ---------------------------------------------------------------------
>
>                 Key: SPARK-25732
>                 URL: https://issues.apache.org/jira/browse/SPARK-25732
>             Project: Spark
>          Issue Type: Improvement
>          Components: Deploy
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the 
> lack of token renewal. In order to enable it, we need the the 
> keytab/principal of the impersonated user to be specified, in order to have 
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and 
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also 
> in a distributed FS, so that applications can be submitted by servers (eg. 
> Livy, Zeppelin) without needing all users' principals being on that machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to