apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pramod Immaneni (JIRA)" <j...@apache.org>
Subject [jira] [Created] (APEXCORE-636) Ability to refresh tokens using user's own kerberos credentials in a managed environment where the application is launched using an admin with impersonation
Date Fri, 03 Feb 2017 19:04:51 GMT
Pramod Immaneni created APEXCORE-636:
----------------------------------------

             Summary: Ability to refresh tokens using user's own kerberos credentials in
a managed environment where the application is launched using an admin with impersonation
                 Key: APEXCORE-636
                 URL: https://issues.apache.org/jira/browse/APEXCORE-636
             Project: Apache Apex Core
          Issue Type: Bug
            Reporter: Pramod Immaneni


When applications run in secure mode, they use delegation tokens to access Hadoop resources.
These delegation tokens have a lifetime, typically 7 days, after which they no longer work
and the application will not be able to communicate with Hadoop. Apex can automatically refresh
these tokens before they expire. To do this it requires Kerberos credentials which should
be supplied during launch time.

In a managed environment the user launching the application may not be intended runtime user
for the application. Apex today supports impersonation to achieve this. Typically, a management
application uses its own credentials, which typically have higher privilege, to launch the
application and impersonate as a regular user so that the application runs as the regular
user. However, the admin credentials are also packaged with the application to for refreshing
the tokens described above. This can cause a security concern because a regular user has access
to a higher privilege Kerberos credentials.

We need a way to specify alternate kerberos credentials to be used for token refresh. Today
there is a partially implemented feature for this which allows specification of the refresh
keytab using a property but not the principal. We would need to add support for the principal
as well.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message