[GitHub] spark issue #17723: [SPARK-20434][YARN][CORE] Move kerberos delegation token...

Thu, 04 May 2017 16:57:28 -0700 

Github user vanzin commented on the issue:

    https://github.com/apache/spark/pull/17723
  
    > On the contrary, this is handled if you read the proposal - 
ServiceTokenManager.acquireTokens will do the necessary setup
    
    Yes, that's approach (b) which I said still assumes that the interface you 
created is enough for other security systems. Which is a big if, since we don't 
know any of them.
    
    > Given rxin's comment above, I am actually more convinced that taking a 
hadoop-security only route is detrimental 
    
    Reynold mentioned that a lot of users don't need Hadoop security, which is 
true. But he didn't mention any other security system that actually needs 
anything like this, so that's not an argument for a super generic interface.
    
    Which is what I've been saying all along. You don't know of any other 
system that needs anything like this, so you don't know if the interface you're 
creating will be useful to them or cover all their needs. If there the least 
bit of difference in how this hypothetical system works, your abstraction goes 
down the drain.
    
    Instead, we have actual use cases for Hadoop security. They don't benefit 
from the abstraction you're trying to create at all, since internally they 
still need to deal with UGI and all the rest of the Hadoop security API. So why 
force the abstraction right now?
    
    I'm not saying that abstraction are bad. I'm just saying that at this point 
they're completely unnecessary and avoidable, and I haven't seen any use case 
for them here. Give me a *single* use case and I'll agree with you, but I 
haven't seen one.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

Reply via email to