Github user vanzin commented on a diff in the pull request:
https://github.com/apache/spark/pull/16923#discussion_r101829171
--- Diff:
sql/hive/src/main/scala/org/apache/spark/sql/hive/client/HiveClientImpl.scala
---
@@ -106,21 +106,33 @@ private[hive] class HiveClientImpl(
// Set up kerberos credentials for UserGroupInformation.loginUser
within
// current class loader
- // Instead of using the spark conf of the current spark context, a new
- // instance of SparkConf is needed for the original value of
spark.yarn.keytab
- // and spark.yarn.principal set in SparkSubmit, as yarn.Client resets
the
- // keytab configuration for the link name in distributed cache
if (sparkConf.contains("spark.yarn.principal") &&
sparkConf.contains("spark.yarn.keytab")) {
val principalName = sparkConf.get("spark.yarn.principal")
- val keytabFileName = sparkConf.get("spark.yarn.keytab")
- if (!new File(keytabFileName).exists()) {
- throw new SparkException(s"Keytab file: ${keytabFileName}" +
- " specified in spark.yarn.keytab does not exist")
- } else {
- logInfo("Attempting to login to Kerberos" +
- s" using principal: ${principalName} and keytab:
${keytabFileName}")
- UserGroupInformation.loginUserFromKeytab(principalName,
keytabFileName)
+ val keytabFileName = {
+ val keytab = sparkConf.get("spark.yarn.keytab")
+ if (new File(keytab).exists()) {
+ keytab
+ } else {
+ // Instead of using the spark conf of the current spark context,
a new
+ // instance of SparkConf is needed for the original value of
spark.yarn.keytab
+ // set in SparkSubmit, as yarn.Client resets the keytab
configuration for the link name
+ // in distributed cache, and this will make Spark driver fail to
get correct keytab
+ // path in yarn client mode.
+ val originKeytab = new SparkConf().get("spark.yarn.keytab")
+ require(originKeytab != null,
+ "spark.yarn.keytab is not configured, this is unexpected")
+ if (new File(originKeytab).exists()) {
+ originKeytab
+ } else {
+ throw new SparkException(s"Keytab file: $originKeytab " +
+ s"specified in spark.yarn.keytab does not exist")
+ }
+ }
}
+
+ logInfo("Attempting to login to Kerberos" +
+ s" using principal: ${principalName} and keytab:
${keytabFileName}")
+ UserGroupInformation.loginUserFromKeytab(principalName,
keytabFileName)
--- End diff --
That makes sense. With there was a different solution instead of logging in
again, but let's leave that for a separate discussion...
Instead of this change, how about making `Client.scala` store the AM
location for the keytab in a different key? As far as I can see
`AMCredentialRenewer` is the only place where it's used. I think that would be
a better change. The current change relies on `spark.yarn.keytab' being set as
a system property so that `new SparkConf()` picks it up.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
