Alexey Serbin has posted comments on this change. Change subject: [security] derive TSK params from authn token ones ......................................................................
Patch Set 2: (2 comments) http://gerrit.cloudera.org:8080/#/c/6071/2//COMMIT_MSG Commit Message: PS2, Line 9: Use more restrictive settings for default TSK validity and rotation : intervals: 48 and 12 hours correspondingly. > I think we should go with 1 week validity on TSKs, to match what some other Yep, if it's easier for users to operate in terms of token validity interval -- sure, we should derive our parameters from that and in that case TSK lifetime to be authn_token_validity_interval + rotation_interval http://gerrit.cloudera.org:8080/#/c/6071/2/src/kudu/master/master.cc File src/kudu/master/master.cc: PS2, Line 67: DEFINE_int64(authn_token_validity_seconds, 0, : "Period of time for which an issued authentication token is valid." : "Specifying 0 means set maximum possible token validity time " : "without risking that the signing/verification key could expire " : "before the token itself."); : / > I think I'd prefer that this be the user-configurable thing, since it's the Sure, it makes more sense to target customer use-cases where they use job lifetimes as the primary unit. Thank you for pointing at this -- I'll update this patch accordingly. -- To view, visit http://gerrit.cloudera.org:8080/6071 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: I95bc64897ed16becda4ab8de6817695fdb48e9eb Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Alexey Serbin <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Dan Burkert <[email protected]> Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Tidy Bot Gerrit-Reviewer: Todd Lipcon <[email protected]> Gerrit-HasComments: Yes
