Sounds good. I will create a JIRA and assign to you. On Fri, Feb 3, 2017 at 11:01 AM, Devendra Tagare <[email protected]> wrote:
> Hi, > > I would like to take this up. > > Thanks, > Dev > > On Fri, Feb 3, 2017 at 10:51 AM, Pramod Immaneni <[email protected]> > wrote: > > > When applications run in secure mode, they use delegation tokens to > access > > Hadoop resources. These delegation tokens have a lifetime, typically 7 > > days, after which they no longer work and the application will not be > able > > to communicate with Hadoop. Apex can automatically refresh these tokens > > before they expire. To do this it requires Kerberos credentials which > > should be supplied during launch time. > > > > In a managed environment the user launching the application may not be > > intended runtime user for the application. Apex today supports > > impersonation to achieve this. Typically, a management application uses > its > > own credentials, which typically have higher privilege, to launch the > > application and impersonate as a regular user so that the application > runs > > as the regular user. However, the admin credentials are also packaged > with > > the application to for refreshing the tokens described above. This can > > cause a security concern because a regular user has access to a higher > > privilege Kerberos credentials. > > > > We need a way to specify alternate kerberos credentials to be used for > > token refresh. Today there is a partially implemented feature for this > > which allows specification of the refresh keytab using a property but not > > the principal. We would need to add support for the principal as well. > Does > > anybody want to take this up? > > > > Thanks > > >
