[GitHub] spark issue #17723: [SPARK-20434][YARN][CORE] Move kerberos delegation token...

[vanzin <gi...@git.apache.org>]

Github user vanzin commented on the issue:

    https://github.com/apache/spark/pull/17723
  
    > In yarn resource manager, it makes logical sense to use hadoop security - since spark becomes a yarn service
    
    No. Spark is a YARN client. Not a service.
    
    >  In mesos or other non hadoop based schedulers, I am not sure it does 
    
    The part you're missing is that it's not YARN that's mandating the use of UGI / delegation tokens for security. It's HDFS, Hive and HBase, all of which are perfectly valid services to use in a Mesos cluster (or any other cluster manager for that matter). So any solution for this problem that claims to support those services needs, at some point, to use UGI APIs.
    
    It's one thing to avoid exposing UGI APIs through Spark APIs. That might be a good thing to do. But you just cannot avoid the *use* of those APIs if you want to support those services that are based on the Hadoop security APIs.
    
    > Depending on hadoop security in core for spark security should be evaluated on its merits
    
    The main merit is that you cannot connect to secured Hadoop services without using those APIs. Unless you know something I don't know.
    
    UGI is also already used in core for some security-related features. So it's not like it's being "added".
    



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org