pan3793 commented on PR #13187: URL: https://github.com/apache/iceberg/pull/13187#issuecomment-2962407104
I think using kinit is not the way forward since that's ephemeral and long running jobs are not able to summon such credentials. I would suggest keytab since it's the standard when we speak about kerberos... @gaborgsomogyi Spark allows using either Keytab or TGT for Kerberos authN, they are different ways. @zhangwl9 DT is not required when TGT is available, and it's the user's responsibility to refresh TGT, for details, refer to SPARK-26595 and https://github.com/apache/spark/blob/fa33ea000a0bda9e5a3fa1af98e8e85b8cc5e4d4/sql/hive/src/main/scala/org/apache/spark/sql/hive/security/HiveDelegationTokenProvider.scala#L67-L73 And the reason of my words "I don't think it works" is because your current implementation would simply erase the HMS token fetched by Spark's built-in HiveDelegationTokenProvider, right? If so, how does it work if your Spark built-in Hive catalog and Iceberg Hive catalog use different HMSs? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
