[jira] [Commented] (STORM-346) (Security) Oozie style delegation tokens for HDFS/HBase

Fri, 18 Jul 2014 12:26:54 -0700 

    [ 
https://issues.apache.org/jira/browse/STORM-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14066765#comment-14066765
 ] 

ASF GitHub Bot commented on STORM-346:
--------------------------------------

Github user Parth-Brahmbhatt commented on the pull request:

    https://github.com/apache/incubator-storm/pull/190#issuecomment-49469937
  
    The simplest alternative seems to be no implementation for IAutoCredentials 
needed for AutoHDFS to work. In other words users will not  have to specify any 
class for "topology.auto-credentials" config for auto hdfs to work.
    
    User will specify AutoHDFS.java as "nimbus.credential.renewers.classes" and 
AutoHDFS will only implement ICredentialsRenewer. In the prepare phase of 
AutoHDFS.java, which should be called on nimbus startup, we can get the HDFS 
credentials.
    
    I have one clarifying question. The ICredentialsRenewer implementations 
seems to be loaded by reading "nimbus.credential.renewers.classes" config at 
startup by nimbus. If I understand correctly this means if we use 
ICredentialsRenewer the users who have a running nimbus and wants to use 
AutoHDFS will have to change the config and restart the nimbus. Is that 
acceptable? 
    
    



> (Security) Oozie style delegation tokens for HDFS/HBase
> -------------------------------------------------------
>
>                 Key: STORM-346
>                 URL: https://issues.apache.org/jira/browse/STORM-346
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Parth Brahmbhatt
>              Labels: security
>
> Oozie has the ability to fetch delegation tokens on behalf of other users by 
> running as a super user that can become a proxy user for almost anyone else.
> We should build one or more classes similar to AutoTGT that can fetch a 
> delegation token for HDFS/HBase, renew the token if needed, and then once the 
> token is about to permanently expire fetch a new one.
> According to some people I have talked with HBase may need to have a JIRA 
> filed against it so that it can pick up a new delegation token without 
> needing to restart the process.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to