[
https://issues.apache.org/jira/browse/TEZ-2886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14957632#comment-14957632
]
Siddharth Seth commented on TEZ-2886:
-------------------------------------
bq. This seems like it could have problems in practice. Who owns the logs, for
example? How does a user authenticate with that AM when they try to monitor
their specific session? Curious, is there a use case for this or is it
theoretical?
This will have problems in practice (quite a few of them) - which would have to
be solved if this were actually to be used. For now, even the UGI used for a
DAG is not correct.
In terms of viewing logs etc - ACLs could be used, but that itself is a
security hole.
Just in terms of pure execution though, this is possible - since the
appropriate filesystem tokens are submitted per dag.
The use case for this would have been Hive running with storage based auth
(instead of SQL standard auth), where jobs are run as different users. The
session pool in Hive server could theoretically be used. There's additional
issues around cluster usage and accounting, capacity allocation etc which would
need to be addressed. (These are considerations for SQL standard auth as well).
Essentially, some support from YARN would likely be required to enable
different users on the same application.
bq. I'm also wondering whose responsibility it is for renewing the delegation
tokens submitted with the DAG that weren't submitted to the RM as part of the
application context.
Renewal of tokens will not happen. This would only work for short running jobs.
Tez sessions in general have a constraint of running more than 7 days - after
which base token renewal stops.
> Ability to merge AM credentials with DAG credentials
> ----------------------------------------------------
>
> Key: TEZ-2886
> URL: https://issues.apache.org/jira/browse/TEZ-2886
> Project: Apache Tez
> Issue Type: Improvement
> Affects Versions: 0.7.0
> Reporter: Jason Lowe
> Assignee: Jason Lowe
>
> Currently AM credentials are explicitly kept separate from DAG credentials,
> but this can cause problems when credentials are automatically added to the
> application as part of the submission process but outside of the client's
> knowledge. We need the ability for the AM's credentials to be merged with
> the DAG credentials so DAGs can pick up important credentials that were not
> submitted by the client.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
