Github user vanzin commented on a diff in the pull request:
--- Diff: docs/security.md ---
@@ -182,54 +580,70 @@ configure those ports.
-### HTTP Security Headers
-Apache Spark can be configured to include HTTP Headers which aids in
-Site Scripting (XSS), Cross-Frame Scripting (XFS), MIME-Sniffing and also
-Strict Transport Security.
+Spark supports submitting applications in environments that use Kerberos
+In most cases, Spark relies on the credentials of the current logged in
user when authenticating
+to Kerberos-aware services. Such credentials can be obtained by logging in
to the configured KDC
+with tools like `kinit`.
+When talking to Hadoop-based services, Spark needs to obtain delegation
tokens so that non-local
+processes can authenticate. Spark ships with support for HDFS and other
Hadoop file systems, Hive
+When using a Hadoop filesystem (such HDFS or WebHDFS), Spark will acquire
the relevant tokens
+for the service hosting the user's home directory.
+An HBase token will be obtained if HBase is in the application's
classpath, and the HBase
+configuration has Kerberos authentication turned
+Similarly, a Hive token will be obtained if Hive is in the classpath, and
the configuration includes
+a URIs for remote metastore services (`hive.metastore.uris` is not empty).
+Delegation token support is currently only supported in YARN and Mesos
modes. Consult the
+deployment-specific page for more information.
+The following options provides finer-grained control for this feature:
- <td><code>1; mode=block</code></td>
- Value for HTTP X-XSS-Protection response header. You can choose
- from below:
- <li><code>0</code> (Disables XSS filtering)</li>
- <li><code>1</code> (Enables XSS filtering. If a cross-site scripting
attack is detected,
- the browser will sanitize the page.)</li>
- <li><code>1; mode=block</code> (Enables XSS filtering. The browser
will prevent rendering
- of the page if an attack is detected.)</li>
- When value is set to "true", X-Content-Type-Options HTTP response
header will be set
- to "nosniff". Set "false" to disable.
- Value for HTTP Strict Transport Security (HSTS) Response Header. You
can choose appropriate
- value from below and set <code>expire-time</code> accordingly, when
Spark is SSL/TLS enabled.
- <li><code>max-age=<expire-time>; includeSubDomains</code></li>
- <li><code>max-age=<expire-time>; preload</code></li>
+ Controls whether to obtain credentials for services when security is
+ By default, credentials for all supported services are retrieved when
those services are
+ configured, but it's possible to disable that behavior if it somehow
conflicts with the
+ application being run.
-See the [configuration page](configuration.html) for more details on the
-parameters, and <a
-<code>org.apache.spark.SecurityManager</code></a> for implementation
details about security.
+## Long-Running Applications
+Long-running applications may run into issues if their run time exceeds
the maximum delegation
+token lifetime configured in services it needs to access.
+Spark supports automatically creating new tokens for these applications
when running in YARN mode.
+Kerberos credentials need to be provided to the Spark application via the
+using the `--principal` and `--keytab` parameters.
--- End diff --
I moved the yarn/kerberos configs to a new separate table in the YARN page.
That should make them more visible.
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org