zhangwl9 commented on PR #13187: URL: https://github.com/apache/iceberg/pull/13187#issuecomment-2969342775
> erase the HMS token fetched by Spark's built-in HiveDelegationTokenProvider @pan3793 > > > I think using kinit is not the way forward since that's ephemeral and long running jobs are not able to summon such credentials. I would suggest keytab since it's the standard when we speak about kerberos...我认为使用 kinit 并不是前进的方向,因为它是短暂的,而长时间运行的任务无法获取此类凭据。我建议使用 keytab,因为当我们谈论 kerberos 时,它是标准做法... > > > > > > @gaborgsomogyi Spark allows using either Keytab or TGT for Kerberos authN, they are different ways.Spark 允许使用 Keytab 或 TGT 进行 Kerberos 身份验证,它们是不同的方式。 > > @zhangwl9 DT is not required when TGT is available, and it's the user's responsibility to refresh TGT, for details, refer to SPARK-26595 and当 TGT 可用时,DT 是不必要的,并且刷新 TGT 是用户的责任,详细信息请参考 SPARK-26595 和 > > https://github.com/apache/spark/blob/fa33ea000a0bda9e5a3fa1af98e8e85b8cc5e4d4/sql/hive/src/main/scala/org/apache/spark/sql/hive/security/HiveDelegationTokenProvider.scala#L67-L73 > > And the reason of my words "I don't think it works" is because your current implementation would simply erase the HMS token fetched by Spark's built-in HiveDelegationTokenProvider, right? If so, how does it work if your Spark built-in Hive catalog and Iceberg Hive catalog use different HMSs?我所说的“我不认为它有效”的原因是因为你当前的实现会直接清除 Spark 内置的 HiveDelegationTokenProvider 获取的 HMS 令牌,对吧?如果是这样,当你的 Spark 内置 Hive 目录和 Iceberg Hive 目录使用不同的 HMS 时,它将如何工作? > > @pan3793 The IcebergHiveConnectorDelegationTokenProvider gets and writes delegation tokens for each HMS based on the metastore URI. if the Spark built-in Hive Catalog and the Iceberg Hive Catalog point to different HMS, they don't affect each other; however, if the URIs are the same, the Token will be overwritten. @pan3793 Currently,the current value of each HMS's metastoreuri is used as the key, and is saved to credientials along with the corresponding token Whether it will also erase the HMS token fetched by Spark's built-in HiveDelegationTokenProvider that uses “hive.server2.delegation.token” as the key. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org For additional commands, e-mail: issues-h...@iceberg.apache.org
