Pramod Immaneni created APEXCORE-636:
----------------------------------------
Summary: Ability to refresh tokens using user's own kerberos
credentials in a managed environment where the application is launched using an
admin with impersonation
Key: APEXCORE-636
URL: https://issues.apache.org/jira/browse/APEXCORE-636
Project: Apache Apex Core
Issue Type: Bug
Reporter: Pramod Immaneni
When applications run in secure mode, they use delegation tokens to access
Hadoop resources. These delegation tokens have a lifetime, typically 7 days,
after which they no longer work and the application will not be able to
communicate with Hadoop. Apex can automatically refresh these tokens before
they expire. To do this it requires Kerberos credentials which should be
supplied during launch time.
In a managed environment the user launching the application may not be intended
runtime user for the application. Apex today supports impersonation to achieve
this. Typically, a management application uses its own credentials, which
typically have higher privilege, to launch the application and impersonate as a
regular user so that the application runs as the regular user. However, the
admin credentials are also packaged with the application to for refreshing the
tokens described above. This can cause a security concern because a regular
user has access to a higher privilege Kerberos credentials.
We need a way to specify alternate kerberos credentials to be used for token
refresh. Today there is a partially implemented feature for this which allows
specification of the refresh keytab using a property but not the principal. We
would need to add support for the principal as well.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
