Hi,
Given the other thread about per-job Kerberos identity, now's a good time to
discuss some problems with the current delegation-token approach, since the
answer could bear on the per-job enhancement.
Two problems:Delegation tokens expire. For a continuous streaming job to
survive, the original keytab is needed to re-authenticate. Spark Streaming
solved this problem with `--keytab` on spark-submit (see
AMDelegationTokenRenewer.scala).Kafka doesn't support delegation tokens yet
(see KIP-48 and KAFKA-1696).
Thoughts? Thanks!
- Eron Wright
