spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcelo Vanzin (JIRA)" <>
Subject [jira] [Commented] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal
Date Mon, 15 Oct 2018 18:34:00 GMT


Marcelo Vanzin commented on SPARK-25732:

In fact, do you even need proxy user + keytab at all?

If you just submit the application using principal / keytab from the command line, as is available
today, isn't that the exact same thing? Other than the keytab needing to be available on the
submitting node, seems like it does all you need?

Only thing missing would be to download the keytab from remote storage if needed, and then
cleaning it up.

> Allow specifying a keytab/principal for proxy user for token renewal 
> ---------------------------------------------------------------------
>                 Key: SPARK-25732
>                 URL:
>             Project: Spark
>          Issue Type: Improvement
>          Components: Deploy
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
> As of now, application submitted with proxy-user fail after 2 week due to the lack of
token renewal. In order to enable it, we need the the keytab/principal of the impersonated
user to be specified, in order to have them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and {{--proxy-user-keytab}},
and the last letting a keytab being specified also in a distributed FS, so that applications
can be submitted by servers (eg. Livy, Zeppelin) without needing all users' principals being
on that machine.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message