Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Incomplete
-
2.4.4, 2.4.5
-
None
Description
See current createSparkUser:
def createSparkUser(): UserGroupInformation = {
val user = Utils.getCurrentUserName()
logDebug("creating UGI for user: " + user)
val ugi = UserGroupInformation.createRemoteUser(user)
transferCredentials(UserGroupInformation.getCurrentUser(), ugi)
ugi
}
def transferCredentials(source: UserGroupInformation, dest: UserGroupInformation): Unit = {
dest.addCredentials(source.getCredentials())
}
def getCurrentUserName(): String = {
Option(System.getenv("SPARK_USER"))
.getOrElse(UserGroupInformation.getCurrentUser().getShortUserName())
}
The transferCredentials func can only transfer Hadoop creds such as Delegation Tokens.
However, other creds stored in UGI.subject.getPrivateCredentials, will be lost here, such as:
- Non-Hadoop creds:
Such as, Kafka creds - Newly supported or 3rd party supported Hadoop creds:
Such as to support OAuth/JWT token authn on Hadoop, we need to store the OAuth/JWT token into UGI.subject.getPrivateCredentials. However, these tokens are not supposed to be managed by Hadoop Credentials (currently it is only for Hadoop secret keys and delegation tokens)
Another issue is that the SPARK_USER only gets the UserGroupInformation.getCurrentUser().getShortUserName() of the user, which may lost the user's fully qualified user name. We should better use the getUserName to get fully qualified user name in our client side, which is aligned to HADOOP_PROXY_USER.
Attachments
Issue Links
- is caused by
-
SPARK-1051 On Yarn, executors don't doAs as submitting user
-
- Resolved
-
- links to