Github user sryza commented on a diff in the pull request:
https://github.com/apache/spark/pull/607#discussion_r12212537
--- Diff: core/src/main/scala/org/apache/spark/deploy/SparkHadoopUtil.scala
---
@@ -35,15 +35,28 @@ class SparkHadoopUtil {
val conf: Configuration = newConfiguration()
UserGroupInformation.setConfiguration(conf)
- def runAsUser(user: String)(func: () => Unit) {
+ /** Creates a UserGroupInformation for Spark based on SPARK_USER
environment variable. */
+ def createSparkUser(): Option[UserGroupInformation] = {
+ val user =
Option(System.getenv("SPARK_USER")).getOrElse(SparkContext.SPARK_UNKNOWN_USER)
if (user != SparkContext.SPARK_UNKNOWN_USER) {
- val ugi = UserGroupInformation.createRemoteUser(user)
- transferCredentials(UserGroupInformation.getCurrentUser(), ugi)
- ugi.doAs(new PrivilegedExceptionAction[Unit] {
- def run: Unit = func()
- })
+ Some(UserGroupInformation.createRemoteUser(user))
--- End diff --
> I'm not sure what's the objective of calling createRemoteUser() here.
In non-secure mode, the process runs as "yarn", but needs to interact with
HDFS as the app user.
> But to address @pwendell's comments about tokens, there should be code
somewhere that's renewing the kerberos ticket (by calling
UserGroupInformation.reloginFromKeytab() at appropriate periods).
On YARN, neither the driver nor the container will necessarily have
keytabs. They authenticate using delegation tokens, which currently don't get
replaced.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
