Turns out ambari-agent is my friend and was periodically renewing the ticket for me. Hurrah!
Thanks for the pointers, James On Tue, 15 Oct 2019 at 08:05, James Srinivasan <james.sriniva...@gmail.com> wrote: > > No, I don't specify any keytabs in the config files. However, I have > several Zeppelin instances running on the same machine so will double > check. > > Thanks > > On Tue, 15 Oct 2019 at 03:39, Jeff Zhang <zjf...@gmail.com> wrote: > > > > Or do you specify zeppelin.server.kerberos.keytab in zeppelin-site.xml ? > > > > James Srinivasan <james.sriniva...@gmail.com> 于2019年10月15日周二 上午10:35写道: > >> > >> No, and in any case I don't think that works when proxying users? > >> > >> On Tue, 15 Oct 2019, 02:25 Jeff Zhang, <zjf...@gmail.com> wrote: > >>> > >>> Do you specify spark.yarn.keytab somewhere ? > >>> > >>> James Srinivasan <james.sriniva...@gmail.com> 于2019年10月15日周二 上午4:01写道: > >>>> > >>>> I'm testing Zeppelin 0.8.2, using AD for user authentication and Spark > >>>> with user impersonation. > >>>> > >>>> If I log into my zeppelin host as the zeppelin (domain) user, check I > >>>> have a Kerberos ticket using klist, start zeppelin and then run some > >>>> Spark code (yarn-cluster), everything is fine - the Spark job is shown > >>>> in the YARN UI running as the AD user that I log into Zeppelin with. > >>>> > >>>> However, if I stop zeppelin, run kdestroy, check I have no ticket > >>>> using klist, then restart zeppelin and run Spark code, it still seems > >>>> to work fine. In fact, checking (using klist) indicates a Kerberos > >>>> ticket is acquired when just before running the Spark code. My > >>>> question is how does this work, and where is the keytab (I presume) > >>>> specified? > >>>> > >>>> Many thanks, > >>>> > >>>> James > >>> > >>> > >>> > >>> -- > >>> Best Regards > >>> > >>> Jeff Zhang > > > > > > > > -- > > Best Regards > > > > Jeff Zhang