[jira] [Comment Edited] (SPARK-25732) Allow specifying a keytab/principal for proxy user for token renewal

Tue, 16 Oct 2018 07:54:25 -0700 


    [ 
https://issues.apache.org/jira/browse/SPARK-25732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16651840#comment-16651840
 ] 

Thomas Graves edited comment on SPARK-25732 at 10/16/18 2:53 PM:
-----------------------------------------------------------------

sorry just realized I misread the second one, thought it was kinit as user a.  
why would you run the second command?

I would actually expect that to fail or run as the super user unless it 
downloaded the keytab and kinit'd on submission before it did anything with 
hdfs, etc.

I guess that is the confusion you were referring to and can see that but it 
seems like an odd use case to me.  Is something submitting this way now?  It 
almost seems like something we should disallow.


was (Author: tgraves):
sorry just realized I misread the second one, though it was kinit as user a.  
why would you run the second command?

I would actually expect that to fail or run as the super user unless it 
downloaded the keytab and kinit'd on submission before it did anything with 
hdfs, etc.

> Allow specifying a keytab/principal for proxy user for token renewal 
> ---------------------------------------------------------------------
>
>                 Key: SPARK-25732
>                 URL: https://issues.apache.org/jira/browse/SPARK-25732
>             Project: Spark
>          Issue Type: Improvement
>          Components: Deploy
>    Affects Versions: 2.4.0
>            Reporter: Marco Gaido
>            Priority: Major
>
> As of now, application submitted with proxy-user fail after 2 week due to the 
> lack of token renewal. In order to enable it, we need the the 
> keytab/principal of the impersonated user to be specified, in order to have 
> them available for the token renewal.
> This JIRA proposes to add two parameters {{--proxy-user-principal}} and 
> {{--proxy-user-keytab}}, and the last letting a keytab being specified also 
> in a distributed FS, so that applications can be submitted by servers (eg. 
> Livy, Zeppelin) without needing all users' principals being on that machine.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to