[
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651301#comment-16651301
]
Mridul Muralidharan commented on SPARK-25732:
---------------------------------------------
[~vanzin] With long running applications (not necessarily streaming) needing
access (read/write) to various data sources (not just hdfs), is there a way to
do this even assuming livy rpc was augmented to support it ? For example, livy
server would not know which data sources to fetch tokens for (since that will
be part of user application jars/config).
For the specific usecase [~mgaido] detailed, proxy principal (foo)/keytab would
be present and distinct from zeppelin or livy principal/keytab.
The 'proxy' part would simply be for livy to submit the application as the
proxied user 'foo' - once application comes up, it will behave as though it was
submitted by the user 'foo' with specified keytab (from hdfs) - acquire/renew
tokens for user 'foo' from its keytab.
[~tgraves] I do share your concern; unfortunately for the usecase Marco is
targeting, there does not seem to be an alternative; livy server is man in the
middle here (w.r.t submitting client).
Having said that, if there is an alternative, I would definitely prefer that
over sharing keytabs - even if it is over secured hdfs.
> Allow specifying a keytab/principal for proxy user for token renewal
> ---------------------------------------------------------------------
>
> Key: SPARK-25732
> URL: https://issues.apache.org/jira/browse/SPARK-25732
> Project: Spark
> Issue Type: Improvement
> Components: Deploy
> Affects Versions: 2.4.0
> Reporter: Marco Gaido
> Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the
> lack of token renewal. In order to enable it, we need the the
> keytab/principal of the impersonated user to be specified, in order to have
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also
> in a distributed FS, so that applications can be submitted by servers (eg.
> Livy, Zeppelin) without needing all users' principals being on that machine.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
