[
https://issues.apache.org/jira/browse/SPARK-13478?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16658025#comment-16658025
]
Marcelo Vanzin commented on SPARK-13478:
----------------------------------------
If you run as user1 with the poweruser's keytab, it means the code running as
user1 will have access to poweruser's keytab. That may be a security concern
depending on your environment.
But the REALLY safe way is to deploy the app with user1's keytab. If you can
impersonate user1, there's no reason why you wouldn't instead get its keytab,
so just do that instead. It's safer since it keeps the poweruser's keytab more
protected.
So, to repeat this again: always use the keytab of the least privileged user.
Or just give up on token renewal and restart the app as needed.
> Fetching delegation tokens for Hive fails when using proxy users
> ----------------------------------------------------------------
>
> Key: SPARK-13478
> URL: https://issues.apache.org/jira/browse/SPARK-13478
> Project: Spark
> Issue Type: Bug
> Components: YARN
> Affects Versions: 1.6.0, 2.0.0
> Reporter: Marcelo Vanzin
> Assignee: Marcelo Vanzin
> Priority: Minor
> Fix For: 1.6.4, 2.0.0
>
>
> If you use spark-submit's proxy user support, the code that fetches
> delegation tokens for the Hive Metastore fails. It seems like the Hive
> library tries to connect to the Metastore as the proxy user, and it doesn't
> have a Kerberos TGT for that user, so it fails.
> I don't know whether the same issue exists in the HBase code, but I'll make a
> similar change so that both behave similarly.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
