Github user vanzin commented on the issue:
https://github.com/apache/spark/pull/16788
> In order to renew delegation tokens, the ApplicationMaster needs access
to the keytab, right?
Yes.
> So why must the driver send delegation tokens to the ApplicationMaster,
if the ApplicationMaster already has access to the keytab, and can thus fetch
delegation tokens itself?
The AM reads the keytab from HDFS. Without the initial delegation token,
the AM cannot access HDFS to read the keytab. Chicken & egg.
Also note, as I said before, that `--principal` and `--keytab` are *not*
required for kerberos support. They are only required for creating new
delegation tokens after the original ones exceed their maximum life. If you
apps won't run for more than that, you don't need `--principal` and `--keytab`
at all.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
