You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by vanzin <gi...@git.apache.org> on 2018/11/01 17:00:17 UTC

[GitHub] spark pull request #22915: [SPARK-25825][K8S][WIP] Enable token renewal for ...

Github user vanzin commented on a diff in the pull request:

    https://github.com/apache/spark/pull/22915#discussion_r230117214
  
    --- Diff: docs/security.md ---
    @@ -798,6 +782,50 @@ achieved by setting `spark.kubernetes.hadoop.configMapName` to a pre-existing Co
         local:///opt/spark/examples/jars/spark-examples_<VERSION>.jar \
         <HDFS_FILE_LOCATION>
     ```
    +
    +## Long-Running Applications
    +
    +Long-running applications may run into issues if their run time exceeds the maximum delegation
    +token lifetime configured in services it needs to access.
    +
    +Spark supports automatically creating new tokens for these applications when running in YARN, Mesos, and Kubernetes modes.
    +If one wishes to launch the renewal thread in the Driver, Kerberos credentials need to be provided to the Spark application
    +via the `spark-submit` command, using the `--principal` and `--keytab` parameters.
    +
    +The provided keytab will be copied over to the machine running the Application Master via the Hadoop
    +Distributed Cache. For this reason, it's strongly recommended that both YARN and HDFS be secured
    +with encryption, at least.
    +
    +The Kerberos login will be periodically renewed using the provided credentials, and new delegation
    +tokens for supported will be created.
    +
    +#### Long-Running Kerberos in Kubernetes
    +
    +This section addresses the additional feature added uniquely to Kubernetes. If you are running an external token service
    --- End diff --
    
    Hey, let's make a deal.
    
    You point me at an existing service that does this, that anyone can download and use. It doesn't even need to be open source, it just needs to have a well defined interface that we can actually write code for or document. And then you write according to that service's interface.
    
    Then I'll stop saying that this service does not exist.
    
    It does not matter how many times you talk about this service if that service is not defined. You need to provide something that people can use, not give them hand-wavy explanations and leave it to them to figure out how to implement this service or where to find it.
    
    So please, until this service actually exists in some form, please refrain from mentioning it in Spark's documentation and building things based on it.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org