Github user vanzin commented on the pull request:
https://github.com/apache/spark/pull/8218#issuecomment-137267685
Yes, and if you look at that code, that secret is the return value of
`SecurityManager.getSecretKey()`, which on YARN is stored in the
`UserGroupInformation` object. Here's the code to make it clear:
val secretKey =
SparkHadoopUtil.get.getSecretKeyFromUserCredentials(sparkSecretLookupKey)
if (secretKey != null) {
logDebug("in yarn mode, getting secret from credentials")
return new Text(secretKey).toString
} else {
logDebug("getSecretKey: yarn mode, secret key from credentials is
null")
}
val cookie = akka.util.Crypt.generateSecureCookie
// if we generated the secret then we must be the first so lets set
it so t
// gets used by everyone else
SparkHadoopUtil.get.addSecretKeyToUserCredentials(sparkSecretLookupKey, cookie)
Is the secret doesn't yet exist (i.e. before the app is submitted), then a
new one is created and stashed in the user's credentials. If it already exists
(e.g. for the AM and all executors), the it's used. Authentication works fine
just as it was originally designed. This patch is not about authentication.
It's about authorization.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
