[
https://issues.apache.org/jira/browse/KAFKA-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15178887#comment-15178887
]
Eron Wright commented on KAFKA-1696:
-------------------------------------
I'd like clarification on whether renewal is possible using the delegation
token for authentication, and whether an infinite expiration will be possible
(with the appropriate configuration).
I'm thinking of the scenario of a production-level Flink streaming job,
consuming a topic in perpetuity. The client that submits the job should
obtain a delegation token using their Kerberos credential, then hand the
delegation token to the running job. The job should periodically renew the
token(s). Ideally the delegation token may be used to authenticate the
renewal request. It doesn't seem easy to have Flink use a Kerberos
credential to renew it, but may be possible with a service principal of some
kind.
The notion that the token eventually expires seems incompatible with
long-running jobs. A key purpose of delegation tokens is to avoid
distributing keytabs, but how does that reconcile with expiration?
> Kafka should be able to generate Hadoop delegation tokens
> ---------------------------------------------------------
>
> Key: KAFKA-1696
> URL: https://issues.apache.org/jira/browse/KAFKA-1696
> Project: Kafka
> Issue Type: Sub-task
> Components: security
> Reporter: Jay Kreps
> Assignee: Parth Brahmbhatt
>
> For access from MapReduce/etc jobs run on behalf of a user.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
