| Table of Contents |
|---|
...
I am leaning towards option #1, because it keeps the configuration of principal and keytab location away from separate/independent than other user preferences (which are available as runtime arguments in programs).
...
Hadoop's UserGroupInformation class has the following method:
// Log a user in from a keytab file.
UserGroupInformation loginUserFromKeytabAndReturnUGI(String user, String path);
With this, we can impersonate the user with the following steps:
...
StreamWriters are system code, but writing to user Streams, so this should also be impersonated. It
It is not yet determined how impersonation will work here, but the above approach can not be used in this case.
An implementation of design for this will be flushed out later. A couple of things to consider when thinking about the design later:
...
- How will admins configure multiple keytabs (for the various configured principals).
- Should we restrict updates to particular fields of the NamespaceConfig? (Making it a 'final' configuration )may simplify edge cases of the implementation, and will also reduce runtime failures. For instance, if user changes the principal of a namespace, the user would have to ensure that this new principal has all the appropriate permissions.
When launching jobs through twill, staging directory is always cdap/twill/...; Do we need to change twill to pass in staging dir through prepareRun?
...