Hi Folks, Any thoughts?
- Bhooshan On Sat, Jul 30, 2016 at 8:33 AM, Bhooshan Mogal <bhooshan.mo...@gmail.com> wrote: > Hi, > > Does the Sentry Service provide delegation tokens for processes without > Kerberos credentials to communicate with it (from YARN containers). > > > Use case: We have programs running in YARN accessing some entities on whom > authorization is enforced using Apache Sentry. There is a master process > that can communicate with Sentry just fine using its Kerberos credentials. > We have some level of caching implemented for ACLs as well, so we don't > have to hit Sentry for every authorization request. However, given that > this is a security feature, the cache needs to be updated very frequently. > For updating this cache, going via the master every single time will create > a bottleneck. So we wanted to explore if there was a way if a dedicated > service running in YARN containers (not every program, but a dedicated > service) can communicate with Sentry using delegation tokens. Exposing the > master's kerberos credentials to such a service is not an option because it > would lead to a security loophole. > > This would be similar to what KMS offers via > https://issues.apache.org/jira/browse/HADOOP-10769. > > > Thanks in advance, > Bhooshan > > -- Bhooshan
