[
https://issues.apache.org/jira/browse/RANGER-686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948084#comment-14948084
]
Alok Lal commented on RANGER-686:
---------------------------------
Use case is valid and good one for Ranger to address. However, let me play
devils advocate and pose the following questions:
- Won't sites' best practices also require rotation of keytab passwords
periodically for same reasons that drive them to change passwords?
- Usually machines are pretty locked down. How would we get the keytabs up to
the ranger machines?
- We would have to deal with ranger HA deployments, i.e. when a keytab is
uploaded it would have to be made available on all hosts running ranger-admin.
- Would having a keytabs lying on the disk provide another attack vector?
Today the passwords are kept in the database tables that store service config
which is protected by usual means. Now, however, we would have to also protect
keytabs locations. Thought his would be no different from keytabs stored on
other non-ranger machines.
> Allow specifying keytabs in Ranger repositories
> -----------------------------------------------
>
> Key: RANGER-686
> URL: https://issues.apache.org/jira/browse/RANGER-686
> Project: Ranger
> Issue Type: New Feature
> Reporter: Velmurugan Periasamy
> Assignee: Gautam Borad
> Fix For: 0.6.0
>
>
> PROBLEM: Currently you have to specify a principal and password when
> configuring Ranger repositories. It would be useful to allow specifying a
> principal and keytab instead of password for authenticating the lookup-client
> user.
> USE CASE: Sites which have regular password expiration will experience the
> lookup clients fail routinely. Also specifying keytab instead of password is
> considered a best practice.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
