spark
spark copied to clipboard
apache
[SPARK-39399] [CORE] [K8S]: Fix proxy-user authentication for Spark on k8s in cluster deploy mode
What changes were proposed in this pull request?
The PR fixes the authentication failure of the proxy user on driver side while accessing kerberized hdfs through spark on k8s job. It follows the similar approach as it was done for Mesos: https://github.com/mesosphere/spark/pull/26
Why are the changes needed?
When we try to access the kerberized HDFS through a proxy user in Spark Job running in cluster deploy mode with Kubernetes resource manager, we encounter AccessControlException. This is because authentication in driver is done using tokens of the proxy user and since proxy user doesn't have any delegation tokens on driver, auth fails.
Further details: https://issues.apache.org/jira/browse/SPARK-25355?focusedCommentId=17532063&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17532063
https://issues.apache.org/jira/browse/SPARK-25355?focusedCommentId=17532135&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17532135
Does this PR introduce any user-facing change?
Yes, user will now be able to use proxy-user to access kerberized hdfs with Spark on K8s.
How was this patch tested?
The patch was tested by:
-
Running job which accesses kerberized hdfs with proxy user in cluster mode and client mode with kubernetes resource manager.
-
Running job which accesses kerberized hdfs without proxy user in cluster mode and client mode with kubernetes resource manager.
-
Build and run test github action : https://github.com/shrprasa/spark/actions/runs/3051203625
@holdenk Thanks for approving the PR. Can you please merge this PR or tag someone who can do it?
