[
https://issues.apache.org/jira/browse/SLIDER-474?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14159688#comment-14159688
]
Jonathan Maron commented on SLIDER-474:
---------------------------------------
Additional functional/manual test:
- Set KDC ticket expiry to 3 hours
- Set HDFS renew cycle to 1 hour and token expiry to 3 hours
Waited about 3 and a half hours and then executed a cluster flex successfully.
No errors encountered during retrieval of token for new container indicating
that the login kerberos identity was still valid beyond the 3 hour period
(indicating that the ticket renewal mechanisms in UGI are working).
> convert token based authentication to kerberos/keytab based
> -----------------------------------------------------------
>
> Key: SLIDER-474
> URL: https://issues.apache.org/jira/browse/SLIDER-474
> Project: Slider
> Issue Type: Bug
> Components: appmaster, security
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
>
> The AM communication to HDFS and the localization performed by AM require an
> authenticated identity or delegation tokens. However, tokens require quite a
> bit of management to handle renewal and expiry. It is preferable to leverage
> a keytab and authenticate via kerberos in the AM (the login identity) and use
> that identity for managing the interactions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
