[ https://issues.apache.org/jira/browse/SPARK-5493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15805198#comment-15805198 ]
Ruslan Dautkhanov edited comment on SPARK-5493 at 1/6/17 6:19 PM: ------------------------------------------------------------------ {quote}There might be ways to hack support for that without changes in Spark, but I'd like to see a proper API in Spark for distributing new delegation tokens. I mentioned that in SPARK-14743, but although that bug is closed, that particular feature hasn't been implemented yet. {quote} [~vanzin], would it be possible to submit a new jira for this part that didn't get implemented in SPARK-14743? Thank you. {quote} There might be ways to hack support for that without changes in Spark {quote} Something like ssh'ing regularly into all Hadoop nodes under proxied user id and running kinit? Yep, a proper API would be better here. {quote} It would expose the keytab to the proxied user, which in 99% of the cases is not wanted. {quote} Since keytab will be owned by a "service" account, not by proxied users, and keytab file will have proper OS permissions, not sure I'm following how keytab would be exposed to those proxied users? Could you please elaborate. Proxy authentication is only for Hadoop services. keytab is just a file and we could rely on OS permissions to lock its access. I'm probably missing something here. was (Author: tagar): {quote}There might be ways to hack support for that without changes in Spark, but I'd like to see a proper API in Spark for distributing new delegation tokens. I mentioned that in SPARK-14743, but although that bug is closed, that particular feature hasn't been implemented yet. {quote} [~vanzin], would it be possible to submit a new jira for this part that didn't get implemented in SPARK-14743? Thank you. {quote} There might be ways to hack support for that without changes in Spark {quote} Something like ssh'ing regularly into all Hadoop nodes under proxied user id and running kinit? Yep, a proper API would be better here. {quote} It would expose the keytab to the proxied user, which in 99% of the cases is not wanted. {quote} Since keytab will be owned by a "service" account, not by proxied users, and keytab file will have proper OS permissions, not sure I'm following how keytab would be exposed to those proxied users? Could you please elaborate. Proxy authentication is only for Hadoop services. keytab is just a file and we could rely on OS permissions to lock its access, relying on regular OS permissions. I'm probably missing something here. > Support proxy users under kerberos > ---------------------------------- > > Key: SPARK-5493 > URL: https://issues.apache.org/jira/browse/SPARK-5493 > Project: Spark > Issue Type: Improvement > Components: Spark Core > Affects Versions: 1.2.0 > Reporter: Brock Noland > Assignee: Marcelo Vanzin > Fix For: 1.3.0 > > > When using kerberos, services may want to use spark-submit to submit jobs as > a separate user. For example a service like hive might want to submit jobs as > a client user. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org