(Optional) Configuring Spark for a Kerberos-Enabled Cluster
Spark jobs are submitted to a Hadoop cluster as YARN jobs. The developer creates a Spark application in a local environment, and tests it in a single-node Spark Standalone cluster on their developer workstation.
When a job is ready to run in a production environment, there are a few additional steps if the cluster is Kerberized:
The Spark History Server daemon needs a Kerberos account and keytab to run in a Kerberized cluster.
When you enable Kerberos for a Hadoop cluster with Ambari, Ambari configures Kerberos for the Spark History Server and automatically creates a Kerberos account and keytab for it. For more information, see Configuring Ambari and Hadoop for Kerberos.
If you are not using Ambari, or if you plan to enable Kerberos manually for the Spark History Server, see Creating Service Principals and Keytab Files for HDP in the Manual Install Guide.
To submit Spark jobs in a Kerberized cluster, the account (or person) submitting jobs needs a Kerberos account & keytab.
When access is authenticated without human interaction -- as happens for processes that submit job requests -- the process would use a headless keytab. Security risk is mitigated by ensuring that only the service who should be using the headless keytab has the permissions to read it.
An end user should use their own keytab when submitting a Spark job.
Setting Up Principals and Keytabs for End User Access to Spark
In the following example, user $USERNAME runs the Spark Pi job in a
Kerberos-enabled environment:
su $USERNAME kinit USERNAME@YOUR-LOCAL-REALM.COM cd /usr/hdp/current/spark-client/ ./bin/spark-submit --class org.apache.spark.examples.SparkPi --master yarn-cluster --num-executors 3 --driver-memory 512m --executor-memory 512m --executor-cores 1 lib/spark-examples*.jar 10
Setting Up Service Principals and Keytabs for Processes Submitting Spark Jobs
The following example shows the creation and use of a headless keytab for a
spark service user account that will submit Spark jobs on node
blue1@example.com:
Create a Kerberos service principal for user
spark:kadmin.local -q "addprinc -randkey spark/blue1@EXAMPLE.COM"Create the keytab:
kadmin.local -q "xst -k /etc/security/keytabs/spark.keytab spark/blue1@EXAMPLE.COM"Create a
sparkuser and add it to thehadoopgroup. (Do this for every node of your cluster.)useradd spark -g hadoopMake
sparkthe owner of the newly-created keytab:chown spark:hadoop /etc/security/keytabs/spark.keytabLimit access: make sure user
sparkis the only user with access to the keytab:chmod 400 /etc/security/keytabs/spark.keytab
In the following steps, user spark runs the Spark Pi example in a
Kerberos-enabled environment:
su spark kinit -kt /etc/security/keytabs/spark.keytab spark/blue1@EXAMPLE.COM cd /usr/hdp/current/spark-client/ ./bin/spark-submit --class org.apache.spark.examples.SparkPi --master yarn-cluster --num-executors 1 --driver-memory 512m --executor-memory 512m --executor-cores 1 lib/spark-examples*.jar 10