accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Elser <>
Subject Re: Correct usage of delegation tokens in Accumulo/Kerberization?
Date Wed, 22 Oct 2014 16:07:35 GMT
I feel like I've seen some chatter on the subject.. I'll see if I can 
dig up some relevant conversations.

I feel like it was something along the lines of providing a keytab for 
the process and pushing that (along with the app) into YARN and then the 
AM would do some work to make sure the tokens are automagically renewed.

Ed Kohlwey wrote:
> Thats what I thought - the problem with this is that passing the TGT
> around doesn't really work for Yarn because those typically expire after
> 24 hours (I believe). I'm also not sure how Yarn would know how to
> refresh them - I know there are plans to set up a mechanism for Yarn to
> renew HDFS tokens automatically for long-running services, but its not
> clear how this will work for services like Accumulo (ie, if I have a a
> long-running application in Yarn that needs to access Accumulo like Storm).
> On Tue, Oct 21, 2014 at 2:58 PM, Josh Elser <
> <>> wrote:
>     There's isn't any tie right now between our Accumulo
>     AuthenticationToken and the Kerberos ticket that your client would
>     need to interact with HDFS/YARN/etc.
>     Right now, you'd have to have both a TGT and some credentials for
>     your client to connect against Accumulo. The other impls should be
>     able to pull the TGT out of your credentials cache.
>     This is something I realized recently that we need to improve. It's
>     on my radar if no one else beats me to the punch..
>     Ed Kohlwey wrote:
>         If I am writing a job that needs to access Accumulo, is there a
>         way to
>         use the pluggable authentication system to do so "the right way" via
>         delegation tokens? Unlike Hadoop, YARN, and Hive, I can find no
>         reference to a delegation token system in the current accumulo
>         sources.
>         It looks like there were some commits a long time ago from John
>         Vines
>         where he created something called KerberosToken, but it looks
>         like its
>         gone now.
>         What is the intended interaction pattern? Is there a way to do
>         this sort
>         of thing without using PasswordToken and passing your password
>         all over
>         the place?

View raw message