New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot use Kerberos when LIGHTER_YARN_KERBEROS environment variables not provided #39
Comments
Submit properties from API request, overrides those added by Lighter Execution backend, now that you mentioned it, I think it should work in a different way, user should not be able to override In that case Kerberos env variables will take precedence over the ones provided in request. However, Kerberos configs are used not only for spark submits, but also for job management through YarnClient. Now we use the same credentials when creating Yarn Client, and when submit spark application. We should probably make it possible to use different credentials for Yarn job management and Spark application properties, or add some configuration property for user to choose, if provided Kerberos configuration should be used for Spark applications as-well? |
@EmilK322 Thank you for bringing this issue. Lighter itself needs to have service level authentification in order to track jobs. These settings should be set during Lighter startup. This is why the @EmilK322 proposal is not optimal. At the moment Lighter does not have an option to provide different auth properties for jobs. Maybe we should add a different set of properties to have static job authentication creds (loaded during Lighter startup) for jobs. These props could be:
@pdambrauskas @EmilK322 what do you, guys, think about this approach? |
Sounds ok to me. |
Sounds good to me. |
When passing
LIGHTER_YARN_KERBEROS_PRINCIPAL
andLIGHTER_YARN_KERBEROS_KEYTAB
Lighter pass
spark.kerberos.principal
andspark.kerberos.keytab
configs to spark which is expected.Those environment variables allow running Spark with Kerberos but with only a single user whose credentials were provided during the startup of Lighter.
I tried to run Lighter without those environment variables and provide
spark.kerberos.principal
andspark.kerberos.keytab
during the HTTP Batch request but it fails with a message that only TOKEN or KERBEROS can be used instead of PLAIN.
The error message:
SIMPLE authentication is not enabled. Available:[TOKEN, KERBEROS]
The only difference in the code is that when env vars provided lighter set
hadoop.kerberos.keytab.login.autorenewal.enabled
totrue
.I didn't try to change this yet but my proposal is:
Allow submitting applications with different users provided in the request body if Kerberos env vars are not provided,
when provided the credential in the env vars will take precedence over the credentials in the request body.
This can be a great feature provided by Lighter.
The text was updated successfully, but these errors were encountered: