Hi, I would like to take this up.
Thanks, Dev On Fri, Feb 3, 2017 at 10:51 AM, Pramod Immaneni <[email protected]> wrote: > When applications run in secure mode, they use delegation tokens to access > Hadoop resources. These delegation tokens have a lifetime, typically 7 > days, after which they no longer work and the application will not be able > to communicate with Hadoop. Apex can automatically refresh these tokens > before they expire. To do this it requires Kerberos credentials which > should be supplied during launch time. > > In a managed environment the user launching the application may not be > intended runtime user for the application. Apex today supports > impersonation to achieve this. Typically, a management application uses its > own credentials, which typically have higher privilege, to launch the > application and impersonate as a regular user so that the application runs > as the regular user. However, the admin credentials are also packaged with > the application to for refreshing the tokens described above. This can > cause a security concern because a regular user has access to a higher > privilege Kerberos credentials. > > We need a way to specify alternate kerberos credentials to be used for > token refresh. Today there is a partially implemented feature for this > which allows specification of the refresh keytab using a property but not > the principal. We would need to add support for the principal as well. Does > anybody want to take this up? > > Thanks >
