-
Notifications
You must be signed in to change notification settings - Fork 881
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Enhance zookeeper authentication and acls of Kyuubi HA module #1204
Comments
we can use --file for both client and cluster mode |
when running in spark yarn-client mode, the driver should be able to read the keytab file of the kyuubi server. is it necessary to add the --file ? |
That's true. But it will be difficult and hacky to let the Kyuubi server know whether the engine is in client mode or not. |
After adding the --file configuration, the keytab path needs to be changed to a relative path. Is there a problem changing to a relative path in the yarn client mode? |
I guess it is not a problem and as same as in the yarn cluster mode, maybe also other cluster managers |
OK, thanks @yaooqinn . I will not distinguish between client and cluster modes and test them. |
Hi @yaooqinn , There is a problem with adding --file in the yarn-client mode and changing the path to a relative path. spark conf:
error log:
|
Looks like we have to detect the value of |
Sorry, @yaooqinn , I don't quite understand this reply. The current detection is on the Engine side. |
|
OK, thanks you for your guidance. I will implement it in this way. |
I have tested it. Please help me see if there are problems with the implementation and configuration. cc @yaooqinn The results are as follows: 1. sasl kerberos kyuubi conf:
2. digest kyuubi conf:
|
It looks fine to me. However, can we merge some of these configurations, it is now very hard to explain and use.
cc @zhouyifan279, do you have any idea, if we can add some unit tests to test with a kerberied zookeeper and acls |
How about
|
@yaooqinn Looks good, Can we add the following fallback configuration?
|
SGTM also cc @turboFei |
As we already have @wForget , would you mind to add these test cases ? I'm also glad to do the work if you have no time. |
Thanks @zhouyifan279 , I still have some configurations to be adjusted. After completion, I will improve the test cases according to your suggestions. |
… authentication and acls
…ion and acls Co-authored-by: wForget <643348094@qq.com>
Code of Conduct
Search before asking
Describe the feature
Support zookeeper sasl kerberos authentication of engine and more zookeeper ACL Schemes.
Motivation
No response
Describe the solution
Zookeeper 支持多种类型的 ACL Schemes,下面列出两种典型进行说明
支持 SASL Kerberos 类型的 ACL
节点 ACLs 示例:
配置规划:
其它修改:
支持 Digest 类型的 ACL
节点 ACLs 示例:
配置规划:
其它修改:
参考:
Additional context
I don’t have a deep understanding of the Zookeeper authentication mechanism. If you have any questions, please point them out.
Are you willing to submit PR?
The text was updated successfully, but these errors were encountered: