Re: [PR] Spark: Iceberg_Spark Add delegation token for HiveCatalog [iceberg]

Wed, 11 Jun 2025 08:15:25 -0700 


zhangwl9 commented on PR #13187:
URL: https://github.com/apache/iceberg/pull/13187#issuecomment-2963228913

   > > I think using kinit is not the way forward since that's ephemeral and 
long running jobs are not able to summon such credentials. I would suggest 
keytab since it's the standard when we speak about kerberos...我认为使用 kinit 
并不是前进的方向,因为它是短暂的,而长时间运行的任务无法获取此类凭据。我建议使用 keytab,因为当我们谈论 kerberos 时,它是标准做法...
   > 
   > @gaborgsomogyi Spark allows using either Keytab or TGT for Kerberos authN, 
they are different ways.Spark 允许使用 Keytab 或 TGT 进行 Kerberos 身份验证,它们是不同的方式。
   > 
   > @zhangwl9 DT is not required when TGT is available, and it's the user's 
responsibility to refresh TGT, for details, refer to SPARK-26595 and当 TGT 
可用时,DT 是不必要的,并且刷新 TGT 是用户的责任,详细信息请参考 SPARK-26595 和
   > 
   > 
https://github.com/apache/spark/blob/fa33ea000a0bda9e5a3fa1af98e8e85b8cc5e4d4/sql/hive/src/main/scala/org/apache/spark/sql/hive/security/HiveDelegationTokenProvider.scala#L67-L73
   > 
   > And the reason of my words "I don't think it works" is because your 
current implementation would simply erase the HMS token fetched by Spark's 
built-in HiveDelegationTokenProvider, right? If so, how does it work if your 
Spark built-in Hive catalog and Iceberg Hive catalog use different 
HMSs?我所说的“我不认为它有效”的原因是因为你当前的实现会直接清除 Spark 内置的 HiveDelegationTokenProvider 获取的 
HMS 令牌,对吧?如果是这样,当你的 Spark 内置 Hive 目录和 Iceberg Hive 目录使用不同的 HMS 时,它将如何工作?
   
   @pan3793 The IcebergHiveConnectorDelegationTokenProvider gets and writes 
delegation tokens for each HMS  based on the metastore URI. The Spark built-in 
HiveDelegationTokenProvider also writes tokens based on metastore URIs. if the 
Spark built-in Hive Catalog and the Iceberg Hive Catalog point to different 
HMS, they don't affect each other; however, if the URIs are the same, the Token 
will be overwritten.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to