Github user harishreedharan commented on the pull request:
https://github.com/apache/spark/pull/4688#issuecomment-76240862
Not sure if you got a chance to look at the patch. We are actually not
logging in on every executor, but only on the Client and the AM. The client
logs in, sets the tokens for the AM and the AM starts using those. At 60% of
the expiry of AM's tokens (so around 4.2 days), the AM logs in and then
generates tokens which are passed around the executors. So the replay attack
should not be a concern, since the login happens days apart.
The keytab is actually used only by the client once and the AM once. It is
also passed around securely - we copy it to the application staging directory
and the AM reads it from there. So I don't think the distribution of the
keytab is actually much of an issue.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
