Re: Mesos and Myriad Kerberos Support

2016-02-18 Thread Adam Bordelon 
We at Mesosphere have a proprietary implementation of Kerberos ticket
forwarding using various Mesos hooks/modules, but this is specific to a
particular customer use case. We're actively working on a way to pass
keytabs/credentials to spark-submit so that it can forward them on to HDFS
or other services. While this is still a specific use case (Spark -> HDFS),
we're exploring how to generalize this approach beyond just Kerberos.

On Wed, Feb 10, 2016 at 5:56 PM,  wrote:

> Hello guys,
>
> I wanted to follow up a little further on today’s Hangouts call about
> Kerberos. For everyone else who may have not been on the call the idea is
> if you have Spark, Myriad and some task running top of Mesos and it needs
> access to some third party service like HDFS that needs kerberos
> credentials how will that work?
>
> Adam has mentioned one solution he’s seen. This was to have credentials
> cached on the master that will then intercept the calls and annotate the
> task with their credentials and wrap the calls with something that unwraps
> the credentials and puts it into place to authenticate. This will require
> update the TGT as they expire.
>
> Adam, you’ve mentioned that is Mesosphere doing in this space as well, do
> you know if that is specific to Kerberos or something else? Any other
> suggestion will be helpful!
>
> Thanks!
>
>
> *Known Jiras regarding this adding kerberos support for Mesos
>
> https://issues.apache.org/jira/browse/MESOS-907
>
> > Miguel Bernadin Accenture Technology Labs – System Engineering
> Contact: W (408) 817-2742 | M (631) 835-6345 |
> miguel.berna...@accenture.com
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
>
> __
>
> www.accenture.com
>

Re: Mesos and Myriad Kerberos Support

2016-02-11 Thread Sarjeet Singh 
Thanks Miguel for summarizing this. I missed the hangout yesterday, though
:(

-Sarjeet

On Wed, Feb 10, 2016 at 5:56 PM,  wrote:

> Hello guys,
>
> I wanted to follow up a little further on today’s Hangouts call about
> Kerberos. For everyone else who may have not been on the call the idea is
> if you have Spark, Myriad and some task running top of Mesos and it needs
> access to some third party service like HDFS that needs kerberos
> credentials how will that work?
>
> Adam has mentioned one solution he’s seen. This was to have credentials
> cached on the master that will then intercept the calls and annotate the
> task with their credentials and wrap the calls with something that unwraps
> the credentials and puts it into place to authenticate. This will require
> update the TGT as they expire.
>
> Adam, you’ve mentioned that is Mesosphere doing in this space as well, do
> you know if that is specific to Kerberos or something else? Any other
> suggestion will be helpful!
>
> Thanks!
>
>
> *Known Jiras regarding this adding kerberos support for Mesos
>
> https://issues.apache.org/jira/browse/MESOS-907
>
> > Miguel Bernadin Accenture Technology Labs – System Engineering
> Contact: W (408) 817-2742 | M (631) 835-6345 |
> miguel.berna...@accenture.com
>
> 
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy.
>
> __
>
> www.accenture.com
>

Mesos and Myriad Kerberos Support

2016-02-10 Thread miguel.bernadin 
Hello guys,

I wanted to follow up a little further on today’s Hangouts call about Kerberos. 
For everyone else who may have not been on the call the idea is if you have 
Spark, Myriad and some task running top of Mesos and it needs access to some 
third party service like HDFS that needs kerberos credentials how will that 
work?

Adam has mentioned one solution he’s seen. This was to have credentials cached 
on the master that will then intercept the calls and annotate the task with 
their credentials and wrap the calls with something that unwraps the 
credentials and puts it into place to authenticate. This will require update 
the TGT as they expire.

Adam, you’ve mentioned that is Mesosphere doing in this space as well, do you 
know if that is specific to Kerberos or something else? Any other suggestion 
will be helpful!

Thanks!


*Known Jiras regarding this adding kerberos support for Mesos

https://issues.apache.org/jira/browse/MESOS-907

> Miguel Bernadin Accenture Technology Labs – System Engineering
Contact: W (408) 817-2742 | M (631) 835-6345 | 
miguel.berna...@accenture.com



This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise confidential information. If you have received it in 
error, please notify the sender immediately and delete the original. Any other 
use of the e-mail by you is prohibited. Where allowed by local law, electronic 
communications with Accenture and its affiliates, including e-mail and instant 
messaging (including content), may be scanned by our systems for the purposes 
of information security and assessment of internal compliance with Accenture 
policy.
__

www.accenture.com