squito commented on a change in pull request #23338: [SPARK-25689][yarn] Make
driver, not AM, manage delegation tokens.
URL: https://github.com/apache/spark/pull/23338#discussion_r245124995
##########
File path:
core/src/main/scala/org/apache/spark/deploy/security/HiveDelegationTokenProvider.scala
##########
@@ -67,11 +67,11 @@ private[spark] class HiveDelegationTokenProvider
// Other modes (such as client with or without keytab, or cluster mode
with keytab) do not need
// a delegation token, since there's a valid kerberos TGT for the right
user available to the
// driver, which is the only process that connects to the HMS.
- val deployMode = sparkConf.get("spark.submit.deployMode", "client")
- UserGroupInformation.isSecurityEnabled &&
+ val currentToken =
UserGroupInformation.getCurrentUser().getCredentials().getToken(tokenAlias)
+ currentToken == null && UserGroupInformation.isSecurityEnabled &&
Review comment:
sorry I'm not sure I follow. To put it another way -- whats the situation
in which you're trying to *avoid* renewing tokens with this change?
it looks to me like the first time, `delegationTokensRequired` will not find
an existing token, so will return true, and then obtainDelegationTokens will
get DTs with a new Credentials and then copy them to the current user. But
then on the next call to `delegationTokensRequired`, there will still be the
old token sitting in the current user, so `currentToken != null`. That will
remain true forever.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
