Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[CARBONDATA-3512]Index Server enhancement
What changes are proposed 1. Remove the keytab dependency for IndexServer. Currently IndexServer needs to configure keytab and prinicipal for both Client side and Server Side.But indexServer is super user and having super user's keytab and principal in client is not correct(specialy spark-submit). Since IndexServer is wrapped around spark application so no need to ask Keytab from User for IndexServer. 2. Authentication:-This happens in org.apache.hadoop.security.SaslRpcClient#createSaslClient .it checks getServerPrincipal (spark.carbon.indexserver.principal) and Server protocol (UGI of IndexServer). User need to configure spark.carbon.indexserver.principal properly. 3. Authorization(ACL):- Support User who can access the IndexServer. Authorization is controlled by hadoop.security.authorization parameter. IndexServer has below scenarios. 1. Spark-submit,spark-shell,spark-Sql :-> These type of spark Application has UGI where LoginUser and LoginUser will be same either based on kinit or based on spark.yarn.principal. Authorization is done in org.apache.hadoop.ipc.Server#authorize using IndexServer ProtocolClass and ACL list which is prepared by org.apache.hadoop.security.authorize.PolicyProvider (generally hadoop-policy.xml with key security.indexserver.protocol.acl , by default *). 2. Spark JDBCServer :- It has UGI based on ProxyUser like user1(auth:PROXY)via spark//. where user1 is currentUser and spark is LoginUser (JDBCServer started UGI).This type of Authorization happens in org.apache.hadoop.security.authorize.ProxyUsers#authorize with proxyUserAcl list prepared by hadoop.proxyuser.<INDEXSERVER_UGI>.users ,hadoop.proxyuser.<INDEXSERVER_UGI>.hosts , hadoop.proxyuser.<INDEXSERVER_UGI>.groups. TokenRenewer:- IndexServer is NOT Token based Hadoop Service. It does not required Delegation Token as IndexServer does not connect to KDC since it is inside SparkApplication(both, Indexclient and IndexServer) so take advantage of it. This closes #3375
- Loading branch information
Showing
5 changed files
with
74 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters