Github user tgravescs commented on the pull request:
https://github.com/apache/spark/pull/4688#issuecomment-76224212
The user has to have a cron job (or similar) that does a kinit and then
would push the credentials out. This would be harder on spark as it would have
to do it for each application and then you would have to create that
communication protocol to send it.
I did also just notice that apache slider is actually using the keytab
approach similar to what you are proposing.
Some other cons though to using the keytab approach:
- some kdc's might consider it a replay attack if on lots of hosts are
doing kinit all at once (ie you are using headless user type keytab)
- if not using headless user keytab then you need to generate per host
keytab and figure out how to distribute properly. This is a headache for
operations team to generate those and manage them.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
