Here is the JIRA. Let's have further discussion on the JIRA so it is available for reference.
https://issues.apache.org/jira/browse/APEXCORE-636 Thanks On Fri, Feb 3, 2017 at 11:05 AM, Pramod Immaneni <[email protected]> wrote: > Sounds good. I will create a JIRA and assign to you. > > On Fri, Feb 3, 2017 at 11:01 AM, Devendra Tagare < > [email protected]> wrote: > >> Hi, >> >> I would like to take this up. >> >> Thanks, >> Dev >> >> On Fri, Feb 3, 2017 at 10:51 AM, Pramod Immaneni <[email protected]> >> wrote: >> >> > When applications run in secure mode, they use delegation tokens to >> access >> > Hadoop resources. These delegation tokens have a lifetime, typically 7 >> > days, after which they no longer work and the application will not be >> able >> > to communicate with Hadoop. Apex can automatically refresh these tokens >> > before they expire. To do this it requires Kerberos credentials which >> > should be supplied during launch time. >> > >> > In a managed environment the user launching the application may not be >> > intended runtime user for the application. Apex today supports >> > impersonation to achieve this. Typically, a management application uses >> its >> > own credentials, which typically have higher privilege, to launch the >> > application and impersonate as a regular user so that the application >> runs >> > as the regular user. However, the admin credentials are also packaged >> with >> > the application to for refreshing the tokens described above. This can >> > cause a security concern because a regular user has access to a higher >> > privilege Kerberos credentials. >> > >> > We need a way to specify alternate kerberos credentials to be used for >> > token refresh. Today there is a partially implemented feature for this >> > which allows specification of the refresh keytab using a property but >> not >> > the principal. We would need to add support for the principal as well. >> Does >> > anybody want to take this up? >> > >> > Thanks >> > >> > >
