[GitHub] spark pull request #21669: [SPARK-23257][K8S] Kerberos Support for Spark on ...

Wed, 05 Sep 2018 18:14:35 -0700 

Github user ifilonenko commented on a diff in the pull request:

    https://github.com/apache/spark/pull/21669#discussion_r215470115
  
    --- Diff: 
resource-managers/kubernetes/core/src/main/scala/org/apache/spark/deploy/k8s/features/hadoopsteps/HadoopKerberosSecretResolverStep.scala
 ---
    @@ -0,0 +1,41 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to You under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + *    http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.spark.deploy.k8s.features.hadoopsteps
    +
    +import 
org.apache.spark.deploy.k8s.security.KubernetesHadoopDelegationTokenManager
    +import org.apache.spark.internal.Logging
    +
    + /**
    +  * This step assumes that you have already done all the heavy lifting in 
retrieving a
    --- End diff --
    
    This specific "step" is used when the delegation token has already been 
stored in a pre-existing secret (that is not created on-the-fly by the 
Submission Client). This is a use-case we have seen desired by those running on 
Kubernetes Clusters where they do not wish to provide certain clients with 
keytabs and merely wish to point to pre-populated secrets that the user has 
access to (access is restricted via RBAC). 
    
    I thought that secret creation logic and non-creation logic should be 
separated, but I can combine them into the same step. I just thought it would 
be more clear. 
    
    (Also easier for unit testing). 


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

Reply via email to