[
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651827#comment-16651827
]
Thomas Graves commented on SPARK-25732:
---------------------------------------
yeah I understand the concern, we don't want to confuse user if we can help it.
The 2 command above are the same except the --proxy-user and in my opinion, I
don't think it would be confusing to the user, you pass in the keytab and
principal for the user who's credentials you want refreshed, in this case its
user "a" in both cases. Seems like making sure docs are clear should make it
clear to the users. I assume most users submitting via livy don't realize they
are using livy and being launched as proxy-user. So user would just specify
keytab/principal configs based on their own user.
> Allow specifying a keytab/principal for proxy user for token renewal
> ---------------------------------------------------------------------
>
> Key: SPARK-25732
> URL: https://issues.apache.org/jira/browse/SPARK-25732
> Project: Spark
> Issue Type: Improvement
> Components: Deploy
> Affects Versions: 2.4.0
> Reporter: Marco Gaido
> Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the
> lack of token renewal. In order to enable it, we need the the
> keytab/principal of the impersonated user to be specified, in order to have
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also
> in a distributed FS, so that applications can be submitted by servers (eg.
> Livy, Zeppelin) without needing all users' principals being on that machine.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
