vanzin commented on a change in pull request #23338: [SPARK-25689][yarn] Make
driver, not AM, manage delegation tokens.
URL: https://github.com/apache/spark/pull/23338#discussion_r245126441
##########
File path:
core/src/main/scala/org/apache/spark/deploy/security/HiveDelegationTokenProvider.scala
##########
@@ -67,11 +67,11 @@ private[spark] class HiveDelegationTokenProvider
// Other modes (such as client with or without keytab, or cluster mode
with keytab) do not need
// a delegation token, since there's a valid kerberos TGT for the right
user available to the
// driver, which is the only process that connects to the HMS.
- val deployMode = sparkConf.get("spark.submit.deployMode", "client")
- UserGroupInformation.isSecurityEnabled &&
+ val currentToken =
UserGroupInformation.getCurrentUser().getCredentials().getToken(tokenAlias)
+ currentToken == null && UserGroupInformation.isSecurityEnabled &&
Review comment:
The Hive provider is a bit weird. The comment above explains a bit of the
issue.
The added code avoids trying to get a delegation token in the case where you
have a pre-defined token cache (e.g. what happens when you submit via Oozie).
That would generate an ugly exception in my tests, although the app itself
would work fine.
Hive tokens are actually never re-created by Spark. In client mode, they're
not needed, since the driver has a kerberos tgt. In cluster mode, you either
have a keytab and thus a tgt, or you have tokens created by the launcher, in
which case you won't create new ones.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
