[jira] [Resolved] (SPARK-25428) Support plain Kerberos Authentication with Spark

Mon, 07 Oct 2019 22:43:47 -0700 


     [ 
https://issues.apache.org/jira/browse/SPARK-25428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Hyukjin Kwon resolved SPARK-25428.
----------------------------------
    Resolution: Incomplete

> Support plain Kerberos Authentication with Spark
> ------------------------------------------------
>
>                 Key: SPARK-25428
>                 URL: https://issues.apache.org/jira/browse/SPARK-25428
>             Project: Spark
>          Issue Type: New Feature
>          Components: Spark Core
>    Affects Versions: 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1
>            Reporter: Shruti Gumma
>            Priority: Major
>              Labels: bulk-closed, features
>
> Spark should work with plain Kerberos authentication. Currently, Spark can 
> work with Hadoop delegation tokens, but not plain Kerberos. Hadoop's 
> UserGroupInformation(UGI) class is responsible for handling security 
> authentication in Spark. This UserGroupInformation(UGI) has support for 
> Kerberos authentication, as well as Token authentication. Since Spark does 
> not work correctly with the Kerberos auth method, it leads to a gap in fully 
> supporting all the security authentication mechanisms.
>  
>  If Kerberos is used to login in UserGroupInformation(UGI) using keytabs at 
> the startup of drivers and executors, then Spark does not allow this 
> logged-in UserGroupInformation(UGI) user to correctly propagate. The 
> exception arises from the implementation of the runAsSparkUser method in 
> SparkHadoopUtil.
>  
>  The runAsSparkUser method in SparkHadoopUtil creates a new UGI based on the 
> current static UGI and then transfers credentials from this current static 
> UGI to the new UGI. This works well with other auth methods, except Kerberos. 
> Transfer credentials implementation is not conducive for Kerberos auth model 
> since it does not transfer all the required internal state of UGI( such as 
> isKeytab and isKrbTkt). For Kerberos, the UGI has to be created from 
> UGI.loginUserFromKeytab method only and not simply by doing a transfer 
> credentials from the previous UGI to the new UGI. 
>  
>  Ideally, the CoarseGrainedExecutorBackend should login using keytab, similar 
> to MesosCoarseGrainedExecutorBackend.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to