spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marco Gaido (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal
Date Tue, 16 Oct 2018 14:25:01 GMT

    [ https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651800#comment-16651800
] 

Marco Gaido commented on SPARK-25732:
-------------------------------------

[~tgraves] I think they can be reused, the point is that it may be confusing that:
{code}
kinit -kt super.keytab super@EXAMPLE.COM
spark-submit --principal a@EXAMPLE.COM --keytab hdfs:///a.keytab --proxy-user a
{code}
runs with user {{super}} impersonating user {{a}}, while
{code}
kinit -kt super.keytab super@EXAMPLE.COM
spark-submit --principal a@EXAMPLE.COM --keytab hdfs:///a.keytab
{code}
runs with user {{a}}. So the reason why I was proposing different configs is for clarity of
the end user.

I think the other point is that giving to the external systems the responsibility of pushing
tokens can cause an indefinite number of issues and it is going to be hard to understand where
the responsibility is. Centralizing the responsibility in Spark, would allow all these intermediate
systems to work properly without any issue. 


> Allow specifying a keytab/principal for proxy user for token renewal 
> ---------------------------------------------------------------------
>
>                 Key: SPARK-25732
>                 URL: https://issues.apache.org/jira/browse/SPARK-25732
>             Project: Spark
>          Issue Type: Improvement
>          Components: Deploy
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the lack of
token renewal. In order to enable it, we need the the keytab/principal of the impersonated
user to be specified, in order to have them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and {{--proxy-user-keytab}},
and the last letting a keytab being specified also in a distributed FS, so that applications
can be submitted by servers (eg. Livy, Zeppelin) without needing all users' principals being
on that machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org


Mime
View raw message