Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Why does Ambari use headless keytab for Spark history server

Labels:
avatar
author-rank vjiang
Rising Star

Created ‎01-11-2016 10:37 PM

It looks like Ambari uses headless keytab for Spark history server:

Execute['/usr/bin/kinit -kt /dsap/etc/security/keytabs/spark.headless.keytab spark-abc@EXAMPLE.COM; '] {'user': 'spark'}

Does anyone know why?

Also current documentation suggests that we need to create keytabs on host as described here:

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_spark-guide/content/ch_installing-kerb-sp...

This is somehow confusing.

2,946 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank vshukla
Guru

Created ‎01-11-2016 10:41 PM

Ambari needs headless Keytab so it can start services without prompting for password. That's how Spark's History server is started (i.e. w/o prompting for password)

When an end user is submitting a spark job, they can use either a headless keytab or type the kerberos password.

View solution in original post

1,891 Views
4 REPLIES 4

avatar
author-rank vshukla
Guru

Created ‎01-11-2016 10:41 PM

Ambari needs headless Keytab so it can start services without prompting for password. That's how Spark's History server is started (i.e. w/o prompting for password)

When an end user is submitting a spark job, they can use either a headless keytab or type the kerberos password.

1,892 Views

avatar
author-rank hosako
Guru

Created ‎01-13-2016 11:28 PM

Is there any possibility that this headless keytab is used when spark submits a job (to YARN or hive, maybe?) to identify itself?

Not for ambari to start Spark service, maybe?

1,891 Views
0 Kudos

avatar
author-rank stevel author-rank
Guru

Created ‎01-14-2016 05:52 PM

Afraid not. The same keytab could be used if you had a local copy of it when you submitted work. Otherwise, when you submit a Spark job to the YARN cluster, it picks up your credentials, grabbing a Hive and HBase token if needed, and uses them for the duration of the job.

Note that because those tokens expire after a day or two, you can't do long-lived applications that way. You will need a keytab, and spark 1.5, which is where keytab-based Spark application support went in,

1,891 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎01-11-2016 11:54 PM

@Vincent Jiang, What is confusing... the fact that a keytab is being used or that a headless principal is being used?

1,891 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements