[GitHub] spark issue #16788: [SPARK-16742] Kerberos impersonation support

[mgummelt <gi...@git.apache.org>]

Github user mgummelt commented on the issue:

    https://github.com/apache/spark/pull/16788
  
    A few high-level issues:
    
    - The title of this PR seems misleading.  This is about Kerberos support in general, not just proxy user support.
    - There's no delegation token renewer.  Executors will start failing to read data once their delegation tokens expire.
    - This conflicts with how YARN handles kerberos auth, which has the `ApplicationMaster` login via the keytab, and executors read the delegation tokens from HDFS via the `CredentialUpdater`.  It's going to be very hard to generalize that solution to Mesos.  Since the subject of this JIRA is "Kerberos support on Mesos", I prefer we keep this solution Mesos specific, and just aim for a consistent user interface (--keytab, --principal, --proxy-user). 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org