[
https://issues.apache.org/jira/browse/APEXCORE-636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857273#comment-15857273
]
ASF GitHub Bot commented on APEXCORE-636:
-----------------------------------------
GitHub user devtagare opened a pull request:
https://github.com/apache/apex-core/pull/467
APEXCORE-636 - user level kerberos support
@PramodSSImmaneni could you please review
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/devtagare/incubator-apex-core APEXCORE-636
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/apex-core/pull/467.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #467
----
commit dfe1a23224092c63dbff3b3652199310cb709f7b
Author: devtagare <devtag...@gmail.com>
Date: 2017-02-08T02:42:17Z
APEXCORE-636 - user level kerberos support
----
> Ability to refresh tokens using user's own kerberos credentials in a managed
> environment where the application is launched using an admin with
> impersonation
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: APEXCORE-636
> URL: https://issues.apache.org/jira/browse/APEXCORE-636
> Project: Apache Apex Core
> Issue Type: Bug
> Reporter: Pramod Immaneni
> Assignee: devendra tagare
>
> When applications run in secure mode, they use delegation tokens to access
> Hadoop resources. These delegation tokens have a lifetime, typically 7 days,
> after which they no longer work and the application will not be able to
> communicate with Hadoop. Apex can automatically refresh these tokens before
> they expire. To do this it requires Kerberos credentials which should be
> supplied during launch time.
> In a managed environment the user launching the application may not be
> intended runtime user for the application. Apex today supports impersonation
> to achieve this. Typically, a management application uses its own
> credentials, which typically have higher privilege, to launch the application
> and impersonate as a regular user so that the application runs as the regular
> user. However, the admin credentials are also packaged with the application
> to for refreshing the tokens described above. This can cause a security
> concern because a regular user has access to a higher privilege Kerberos
> credentials.
> We need a way to specify alternate kerberos credentials to be used for token
> refresh. Today there is a partially implemented feature for this which allows
> specification of the refresh keytab using a property but not the principal.
> We would need to add support for the principal as well.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
