[ https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651301#comment-16651301 ]
Mridul Muralidharan commented on SPARK-25732: --------------------------------------------- [~vanzin] With long running applications (not necessarily streaming) needing access (read/write) to various data sources (not just hdfs), is there a way to do this even assuming livy rpc was augmented to support it ? For example, livy server would not know which data sources to fetch tokens for (since that will be part of user application jars/config). For the specific usecase [~mgaido] detailed, proxy principal (foo)/keytab would be present and distinct from zeppelin or livy principal/keytab. The 'proxy' part would simply be for livy to submit the application as the proxied user 'foo' - once application comes up, it will behave as though it was submitted by the user 'foo' with specified keytab (from hdfs) - acquire/renew tokens for user 'foo' from its keytab. [~tgraves] I do share your concern; unfortunately for the usecase Marco is targeting, there does not seem to be an alternative; livy server is man in the middle here (w.r.t submitting client). Having said that, if there is an alternative, I would definitely prefer that over sharing keytabs - even if it is over secured hdfs. > Allow specifying a keytab/principal for proxy user for token renewal > --------------------------------------------------------------------- > > Key: SPARK-25732 > URL: https://issues.apache.org/jira/browse/SPARK-25732 > Project: Spark > Issue Type: Improvement > Components: Deploy > Affects Versions: 2.4.0 > Reporter: Marco Gaido > Priority: Major > > As of now, application submitted with proxy-user fail after 2 week due to the > lack of token renewal. In order to enable it, we need the the > keytab/principal of the impersonated user to be specified, in order to have > them available for the token renewal. > This JIRA proposes to add two parameters {{--proxy-user-principal}} and > {{--proxy-user-keytab}}, and the last letting a keytab being specified also > in a distributed FS, so that applications can be submitted by servers (eg. > Livy, Zeppelin) without needing all users' principals being on that machine. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org