Github user vanzin commented on a diff in the pull request:
https://github.com/apache/spark/pull/20945#discussion_r178675596
--- Diff:
resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosClusterScheduler.scala
---
@@ -506,6 +506,10 @@ private[spark] class MesosClusterScheduler(
options ++= Seq("--class", desc.command.mainClass)
}
+ desc.conf.getOption("spark.mesos.proxyUser").foreach { v =>
+ options ++= Seq("--proxy-user", v)
--- End diff --
This looks a little odd. How's a cluster mode app run in Mesos?
Basically what I want to know:
- which process starts the driver
- what user that process is running as, and which user will the driver
process run as
- what kerberos credentials does it have and how are they managed
The gist is that running the Spark driver in client mode (which I think is
how the driver in cluster mode is started eventually?) with a proxy user is a
weird combination. It means the user code running in that driver has access to
the credentials of the more privileged user - and could in its turn use those
to run anything as any other user...
In comparison, YARN + cluster mode + proxy user starts the YARN application
as the proxy user. So the user code, which only runs in a YARN container, has
no access to the privileged credentials, which only exist in the launcher.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
