Github user vanzin commented on a diff in the pull request:
https://github.com/apache/spark/pull/20945#discussion_r178955126
--- Diff:
resource-managers/mesos/src/main/scala/org/apache/spark/scheduler/cluster/mesos/MesosClusterScheduler.scala
---
@@ -506,6 +506,10 @@ private[spark] class MesosClusterScheduler(
options ++= Seq("--class", desc.command.mainClass)
}
+ desc.conf.getOption("spark.mesos.proxyUser").foreach { v =>
+ options ++= Seq("--proxy-user", v)
--- End diff --
I don't understand the separation.
You're starting `spark-submit` with `--proxy-user`, right? That *requires*
the `spark-submit` process to know the credentials of the user that can
impersonate another user.
If that `spark-submit` process is run in client mode, then it's running
untrusted user code. Which means it also has access to those same super user
credentials, and that's a security problem.
You have this in L530 below this code:
```
"spark.submit.deployMode", // this would be set to `cluster`, but we need
client
```
What am I missing here?
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
