[
https://issues.apache.org/jira/browse/HADOOP-16298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16839856#comment-16839856
]
Don Bosco Durai commented on HADOOP-16298:
------------------------------------------
[~clayb] I like the overall approach. This nicely extends authentication to
non-kerberos environments and also opens up alternate options for renewing
delegation tokens in long running services.
Regarding the dependencies with Kubernetes libraries, could it be externalized
as REST APIs similar to refresh URLs in delegation tokens. The external service
can have the required dependencies and also the design can be used for other
authentication mechanisms.
> Manage/Renew delegation tokens for externally scheduled jobs
> ------------------------------------------------------------
>
> Key: HADOOP-16298
> URL: https://issues.apache.org/jira/browse/HADOOP-16298
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.7.3, 2.9.0, 3.2.0, 3.3.0
> Reporter: Pankaj Deshpande
> Priority: Major
> Attachments: Proposal for changes to UGI for managing_renewing
> externally managed delegation tokens.pdf
>
>
> * Presently when jobs are run in the Hadoop ecosystem, the implicit
> assumption is that YARN will be used as a scheduling agent with access to
> appropriate keytabs for renewal of kerberos tickets and delegation tokens.
> * Jobs that interact with kerberized hadoop services such as hbase/hive/hdfs
> and use an external scheduler such as Kubernetes, typically do not have
> access to keytabs. In such cases, delegation tokens are a logical choice for
> interacting with a kerberized cluster. These tokens are issued based on some
> external auth mechanism (such as Kube LDAP authentication).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
