[jira] [Commented] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal

Mon, 15 Oct 2018 11:12:26 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650560#comment-16650560
 ] 

Thomas Graves commented on SPARK-25732:
---------------------------------------

I would much rather see Spark start to push tokens and distributing them.

I'm not fond of pushing keytabs, many security folks/companies won't allow it.  
If you do this it means that all the users keytabs are in HDFS all the time, 
which in my opinion is even worse then our existing keytab/principal options 
where it can be picked up locally and its only in HDFS temporarily.   Just more 
chances permissions are messed up and people compromise keytabs which are 
indefinitely and much harder to revoke then things like tokens.

Pushing token is definitely more work but think we should go that way long 
term. Having an rpc connection between client and driver can be useful for 
other things as well. 

> Allow specifying a keytab/principal for proxy user for token renewal 
> ---------------------------------------------------------------------
>
>                 Key: SPARK-25732
>                 URL: https://issues.apache.org/jira/browse/SPARK-25732
>             Project: Spark
>          Issue Type: Improvement
>          Components: Deploy
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the 
> lack of token renewal. In order to enable it, we need the the 
> keytab/principal of the impersonated user to be specified, in order to have 
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and 
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also 
> in a distributed FS, so that applications can be submitted by servers (eg. 
> Livy, Zeppelin) without needing all users' principals being on that machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to