[
https://issues.apache.org/jira/browse/SPARK-19143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15814408#comment-15814408
]
Mridul Muralidharan commented on SPARK-19143:
---------------------------------------------
As part of an unrelated work (though strangely, using livy), we have worked on
adding support for external provision of credentials to a spark application.
Detailing aspects specifically related to this jira here.
Currently AMDelegationTokenRenewer does both acquisition and distirbution,
which we split into two:
a) Actual token renewal - based on principal and keytab.
b) Token distribution - refactored out from AMDelegationTokenRenewer.
(ExecutorDelegationTokenUpdater is the dual of this for update)
Token renewal continues to live in AMDelegationTokenRenewer.
The new DelegationTokenDistributer allows for distribution of tokens generated
- which can be generated by AMDelegationTokenRenewer as currently, or out of
band through 'other' means.
In our specific case, we added 'spark.yarn.credentials.external.update' - which
allowed for external provision of tokens to AMDelegationTokenRenewer without
AMDelegationTokenRenewer in the spark application - so no need for
principal/keytab to be available for the spark application.
"spark.yarn.credentials.file" continues to be leveraged for distribution
purposes as is currently done.
/CC [~tgraves], you might be interested in this given some of the past
conversations on PR's.
> API in Spark for distributing new delegation tokens (Improve delegation token
> handling in secure clusters)
> ----------------------------------------------------------------------------------------------------------
>
> Key: SPARK-19143
> URL: https://issues.apache.org/jira/browse/SPARK-19143
> Project: Spark
> Issue Type: Improvement
> Components: Spark Core, YARN
> Affects Versions: 2.0.2, 2.1.0
> Reporter: Ruslan Dautkhanov
>
> Spin off from SPARK-14743 and comments chain in [recent comments|
> https://issues.apache.org/jira/browse/SPARK-5493?focusedCommentId=15802179&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15802179]
> in SPARK-5493.
> Spark currently doesn't have a way for distribution new delegation tokens.
> Quoting [~vanzin] from SPARK-5493
> {quote}
> IIRC Livy doesn't yet support delegation token renewal. Once it reaches the
> TTL, the session is unusable.
> There might be ways to hack support for that without changes in Spark, but
> I'd like to see a proper API in Spark for distributing new delegation tokens.
> I mentioned that in SPARK-14743, but although that bug is closed, that
> particular feature hasn't been implemented yet.
> {quote}
> Other thoughts?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
