From issues-return-205004-archive-asf-public=cust-asf.ponee.io@spark.apache.org Tue Oct 16 16:25:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 2A10E180674 for ; Tue, 16 Oct 2018 16:25:04 +0200 (CEST) Received: (qmail 65488 invoked by uid 500); 16 Oct 2018 14:25:04 -0000 Mailing-List: contact issues-help@spark.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@spark.apache.org Received: (qmail 65476 invoked by uid 99); 16 Oct 2018 14:25:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 16 Oct 2018 14:25:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 69B04C647D for ; Tue, 16 Oct 2018 14:25:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 8muWhtqzVF_o for ; Tue, 16 Oct 2018 14:25:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id A519C5F387 for ; Tue, 16 Oct 2018 14:25:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B247FE2633 for ; Tue, 16 Oct 2018 14:25:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 3209924DF6 for ; Tue, 16 Oct 2018 14:25:01 +0000 (UTC) Date: Tue, 16 Oct 2018 14:25:01 +0000 (UTC) From: "Marco Gaido (JIRA)" To: issues@spark.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651800#comment-16651800 ] Marco Gaido commented on SPARK-25732: ------------------------------------- [~tgraves] I think they can be reused, the point is that it may be confusing that: {code} kinit -kt super.keytab super@EXAMPLE.COM spark-submit --principal a@EXAMPLE.COM --keytab hdfs:///a.keytab --proxy-user a {code} runs with user {{super}} impersonating user {{a}}, while {code} kinit -kt super.keytab super@EXAMPLE.COM spark-submit --principal a@EXAMPLE.COM --keytab hdfs:///a.keytab {code} runs with user {{a}}. So the reason why I was proposing different configs is for clarity of the end user. I think the other point is that giving to the external systems the responsibility of pushing tokens can cause an indefinite number of issues and it is going to be hard to understand where the responsibility is. Centralizing the responsibility in Spark, would allow all these intermediate systems to work properly without any issue. > Allow specifying a keytab/principal for proxy user for token renewal > --------------------------------------------------------------------- > > Key: SPARK-25732 > URL: https://issues.apache.org/jira/browse/SPARK-25732 > Project: Spark > Issue Type: Improvement > Components: Deploy > Affects Versions: 2.4.0 > Reporter: Marco Gaido > Priority: Major > > As of now, application submitted with proxy-user fail after 2 week due to the lack of token renewal. In order to enable it, we need the the keytab/principal of the impersonated user to be specified, in order to have them available for the token renewal. > This JIRA proposes to add two parameters {{--proxy-user-principal}} and {{--proxy-user-keytab}}, and the last letting a keytab being specified also in a distributed FS, so that applications can be submitted by servers (eg. Livy, Zeppelin) without needing all users' principals being on that machine. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org For additional commands, e-mail: issues-help@spark.apache.org