accumulo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ed Kohlwey <>
Subject Re: Correct usage of delegation tokens in Accumulo/Kerberization?
Date Wed, 22 Oct 2014 13:49:07 GMT
Thats what I thought - the problem with this is that passing the TGT around
doesn't really work for Yarn because those typically expire after 24 hours
(I believe). I'm also not sure how Yarn would know how to refresh them - I
know there are plans to set up a mechanism for Yarn to renew HDFS tokens
automatically for long-running services, but its not clear how this will
work for services like Accumulo (ie, if I have a a long-running application
in Yarn that needs to access Accumulo like Storm).

On Tue, Oct 21, 2014 at 2:58 PM, Josh Elser <> wrote:

> There's isn't any tie right now between our Accumulo AuthenticationToken
> and the Kerberos ticket that your client would need to interact with
> HDFS/YARN/etc.
> Right now, you'd have to have both a TGT and some credentials for your
> client to connect against Accumulo. The other impls should be able to pull
> the TGT out of your credentials cache.
> This is something I realized recently that we need to improve. It's on my
> radar if no one else beats me to the punch..
> Ed Kohlwey wrote:
>> If I am writing a job that needs to access Accumulo, is there a way to
>> use the pluggable authentication system to do so "the right way" via
>> delegation tokens? Unlike Hadoop, YARN, and Hive, I can find no
>> reference to a delegation token system in the current accumulo sources.
>> It looks like there were some commits a long time ago from John Vines
>> where he created something called KerberosToken, but it looks like its
>> gone now.
>> What is the intended interaction pattern? Is there a way to do this sort
>> of thing without using PasswordToken and passing your password all over
>> the place?

View raw message