[jira] [Commented] (SLIDER-446) delegation token renewer identity may require definition of 'slider' user and principal

Sat, 20 Sep 2014 19:05:59 -0700 

    [ 
https://issues.apache.org/jira/browse/SLIDER-446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14142287#comment-14142287
 ] 

Jonathan Maron commented on SLIDER-446:
---------------------------------------

Maybe it's not clear from my description, but I am specifically talking about 
renewing the HDFS delegation token in the Slider AM.  The AM may continue to 
need to perform some operations (logging etc) during the life span of the 
application, beyond 7 days.  In the case of an AM, I'm not certain I understand 
the need to distribute the tokens further?  The interaction is purely for AM 
instance to HDFS.

Are you suggesting that rather than renew a token, for each HDFS interaction we 
use a keytab to create a kerberized user and perform the HDFS operations?  

> delegation token renewer identity may require definition of 'slider' user and 
> principal
> ---------------------------------------------------------------------------------------
>
>                 Key: SLIDER-446
>                 URL: https://issues.apache.org/jira/browse/SLIDER-446
>             Project: Slider
>          Issue Type: Bug
>          Components: appmaster, security
>    Affects Versions: Slider 0.50
>            Reporter: Jonathan Maron
>            Assignee: Jonathan Maron
>
> Currently the HDFS delegation token renewal framework needs to establish a 
> user/subject using kerberos (not tokens) in order to perform the token 
> renewal or replacement operations.  Given that it was HDFS, the current 
> implementation leverages the namenode principal as the renewing identity.  
> However, this approach does not work if the node on which the AM is running 
> doesn't actually have access to the namenode keytab.  So, as I see it, there 
> are a number of alternatives:
> 1)  Looks for a datanode keytab if the namenode keytab is not available and 
> use the DN service principal - probably not the best choice since, once 
> again, there's no guarantee that a DN is running on the NM host.
> 2)  Use the NM principal/keytab - this may be appropriate.  Are there any 
> permission issues in leveraging a yarn principal with HDFS?
> 3)  Create a slider-specific service principal and keytab - this would seem 
> to be appropriate given the precedent set in Hadoop (most secure applications 
> appear to manage their own set of principals).
> 4)  Others?
> Given that this subject may engender multiple opinions, I could use option 2 
> as an interim (and possibly final) solution?
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to