apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (APEXCORE-636) Ability to refresh tokens using user's own kerberos credentials in a managed environment where the application is launched using an admin with impersonation
Date Wed, 08 Feb 2017 02:43:41 GMT

    [ https://issues.apache.org/jira/browse/APEXCORE-636?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857273#comment-15857273
] 

ASF GitHub Bot commented on APEXCORE-636:
-----------------------------------------

GitHub user devtagare opened a pull request:

    https://github.com/apache/apex-core/pull/467

    APEXCORE-636 - user level kerberos support

    @PramodSSImmaneni  could you please review

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/devtagare/incubator-apex-core APEXCORE-636

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/apex-core/pull/467.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #467
    
----
commit dfe1a23224092c63dbff3b3652199310cb709f7b
Author: devtagare <devtagare@gmail.com>
Date:   2017-02-08T02:42:17Z

    APEXCORE-636 - user level kerberos support

----


> Ability to refresh tokens using user's own kerberos credentials in a managed environment
where the application is launched using an admin with impersonation
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: APEXCORE-636
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-636
>             Project: Apache Apex Core
>          Issue Type: Bug
>            Reporter: Pramod Immaneni
>            Assignee: devendra tagare
>
> When applications run in secure mode, they use delegation tokens to access Hadoop resources.
These delegation tokens have a lifetime, typically 7 days, after which they no longer work
and the application will not be able to communicate with Hadoop. Apex can automatically refresh
these tokens before they expire. To do this it requires Kerberos credentials which should
be supplied during launch time.
> In a managed environment the user launching the application may not be intended runtime
user for the application. Apex today supports impersonation to achieve this. Typically, a
management application uses its own credentials, which typically have higher privilege, to
launch the application and impersonate as a regular user so that the application runs as the
regular user. However, the admin credentials are also packaged with the application to for
refreshing the tokens described above. This can cause a security concern because a regular
user has access to a higher privilege Kerberos credentials.
> We need a way to specify alternate kerberos credentials to be used for token refresh.
Today there is a partially implemented feature for this which allows specification of the
refresh keytab using a property but not the principal. We would need to add support for the
principal as well.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message