Github user vanzin commented on the pull request:
https://github.com/apache/spark/pull/2320#issuecomment-185451821
> which means as you mentioned, there is a way or process to do "kinit"
for each user
That's not what I said at all. What I said is that because spark standalone
is insecure, and it runs everything as the same OS user, it should be up to the
admin deploying the cluster to kinit *a single user* that will become the
"Spark User" for the cluster, and everybody submitting jobs to the Spark
standalone master will effectively be running Spark apps as that user.
That way, Spark does not create a security hole in the cluster, because:
- admins have to opt in to this insecure Spark setup
- they can easily revoke privileges by not allowing that Spark user to do
anything else in the cluster
- users don't risk having their keytabs or delegation tokens being read by
other users
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
