[jira] [Commented] (SAMZA-727) Support for Kerberos

Tue, 01 Mar 2016 11:18:12 -0800 

    [ 
https://issues.apache.org/jira/browse/SAMZA-727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15174208#comment-15174208
 ] 

Chen Song commented on SAMZA-727:
---------------------------------

Based on the discussions so far,

On the high level, I am learning towards to use the approach documented here, 
AM keytab + renewal and forwarding of Delegation Tokens to containers.

So I am proposing to do this:

1. The client provides a key tab that is pre-installed on the hadoop client box.
2. The key tab is added as a localized resource (with Private or Application 
resource scope).
3. Application master will localize the key tab and stay authenticated as 
needed.
4. Containers will only use delegation tokens. Specifically,
    4.1. Containers will use the AM/RM token created initially on the client 
side.
    4.2. When the delegation token is about to expire on a container, the 
container would need to request new delegation tokens. Containers would need to 
communicate with AM to get the delegation tokens. Some options here are:
        - AM will recreate delegation tokens before they are due to expire and 
expose the credentials in a new endpoint on the Job Coordinator, and containers 
can get the tokens via the Job Coordinator HTTP service. (In the future, HTTPs 
may be a more secure way)
        - Use HDFS to store the recreated credentials. This is what Spark does.
        - For both ways, the assumption is that AM is able to recreate the 
token beforehand and make it available, without need to get explicit requests 
from containers.
5. When container crashes, it should be able to get the latest token from the 
Job Coordinator if any.
6. When AM or container crashes or restarts after the original RM token expires 
(which cannot be renewed anymore). I am not sure if I clearly understand how to 
handle this scenario in general. I need more guidance on this part.

> Support for Kerberos
> --------------------
>
>                 Key: SAMZA-727
>                 URL: https://issues.apache.org/jira/browse/SAMZA-727
>             Project: Samza
>          Issue Type: New Feature
>          Components: yarn
>    Affects Versions: 0.9.0
>         Environment: YARN with Kerberos
>            Reporter: Qi FU
>            Assignee: Chen Song
>             Fix For: 0.10.1
>
>         Attachments: SAMZA-727.patch
>
>
> Samza doesn't support Kerberos, which is very common for YARN cluster.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to