[
https://issues.apache.org/jira/browse/SPARK-5493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15805198#comment-15805198
]
Ruslan Dautkhanov edited comment on SPARK-5493 at 1/6/17 6:19 PM:
------------------------------------------------------------------
{quote}There might be ways to hack support for that without changes in Spark,
but I'd like to see a proper API in Spark for distributing new delegation
tokens. I mentioned that in SPARK-14743, but although that bug is closed, that
particular feature hasn't been implemented yet.
{quote}
[~vanzin], would it be possible to submit a new jira for this part that didn't
get implemented in SPARK-14743?
Thank you.
{quote}
There might be ways to hack support for that without changes in Spark
{quote}
Something like ssh'ing regularly into all Hadoop nodes under proxied user id
and running kinit?
Yep, a proper API would be better here.
{quote}
It would expose the keytab to the proxied user, which in 99% of the cases is
not wanted.
{quote}
Since keytab will be owned by a "service" account, not by proxied users, and
keytab file will have proper
OS permissions, not sure I'm following how keytab would be exposed to those
proxied users? Could you please elaborate. Proxy authentication is only for
Hadoop services. keytab is just a file and we could rely on OS permissions to
lock its access. I'm probably missing something here.
was (Author: tagar):
{quote}There might be ways to hack support for that without changes in Spark,
but I'd like to see a proper API in Spark for distributing new delegation
tokens. I mentioned that in SPARK-14743, but although that bug is closed, that
particular feature hasn't been implemented yet.
{quote}
[~vanzin], would it be possible to submit a new jira for this part that didn't
get implemented in SPARK-14743?
Thank you.
{quote}
There might be ways to hack support for that without changes in Spark
{quote}
Something like ssh'ing regularly into all Hadoop nodes under proxied user id
and running kinit?
Yep, a proper API would be better here.
{quote}
It would expose the keytab to the proxied user, which in 99% of the cases is
not wanted.
{quote}
Since keytab will be owned by a "service" account, not by proxied users, and
keytab file will have proper
OS permissions, not sure I'm following how keytab would be exposed to those
proxied users? Could you please elaborate. Proxy authentication is only for
Hadoop services. keytab is just a file and we could rely on OS permissions to
lock its access, relying on regular OS permissions. I'm probably missing
something here.
> Support proxy users under kerberos
> ----------------------------------
>
> Key: SPARK-5493
> URL: https://issues.apache.org/jira/browse/SPARK-5493
> Project: Spark
> Issue Type: Improvement
> Components: Spark Core
> Affects Versions: 1.2.0
> Reporter: Brock Noland
> Assignee: Marcelo Vanzin
> Fix For: 1.3.0
>
>
> When using kerberos, services may want to use spark-submit to submit jobs as
> a separate user. For example a service like hive might want to submit jobs as
> a client user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
