Kerberos ticket renewal on Spark streaming job that communicates to Kafka

1
votes

I have a long running Spark streaming job that runs on a kerberized Hadoop cluster. It fails every few days with the following error:

Diagnostics: token (token for XXXXXXX: HDFS_DELEGATION_TOKEN [email protected], renewer=yarn, realUser=, issueDate=XXXXXXXXXXXXXXX, maxDate=XXXXXXXXXX, sequenceNumber=XXXXXXXX, masterKeyId=XXX) can't be found in cache

I tried adding in --keytab and --principal options to spark-submit. But we already have the following options that do the same thing:

For the second option, we already pass in the keytab and principal with the following: 'spark.driver.extraJavaOptions=-Djava.security.auth.login.config=kafka_client_jaas.conf -Djava.security.krb5.conf=krb5.conf -XX:+UseCompressedOops -XX:+UseG1GC -XX:+UnlockDiagnosticVMOptions -XX:+G1SummarizeConcMark -XX:InitiatingHeapOccupancyPercent=35 -XX:ConcGCThreads=12' \

Same for spark.executor.extraJavaOptions. If we add the options --principal and --keytab it results in attempt to add file (keytab) multiple times to distributed cache

1
apache-sparkspark-streamingkerberos
Did you pass your keytab to your streaming job? cloudera.com/documentation/enterprise/5-8-x/topics/…tk421

1 Answers

0
votes

There are 2 ways that you can do it.

  1. Have a shell script that does the keytab/ticket generation on a regular interval.

  2. [RECOMMENDED] Pass your keytab to Spark with strict access only to spark user and it can automatically regenerate the tickets for you. Visit this Cloudera community page for more details. It's just a simple bunch of steps and you can get going!

Hope that helps!