hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anubhav Dhoot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7295) Support arbitrary max expiration times for delegation token
Date Mon, 27 Oct 2014 18:40:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185582#comment-14185582

Anubhav Dhoot commented on HDFS-7295:

Steve thanks for bringing that up the keytab solution, which we debated for a while.
My concern is the damage with a stolen keytab is far greater than the HDFS token. Its universal
kerberos identity versus something that works only with HDFS. Ops team might consider a longer
delegation token to be lower risk than having a more valuable asset - users's keytab - be
exposed on a wide surface area (we need all nodes to have access to the keytabs). Also hadoop
users now have to entrust hadoop admins with protecting their kerberos identity.

> Support arbitrary max expiration times for delegation token
> -----------------------------------------------------------
>                 Key: HDFS-7295
>                 URL: https://issues.apache.org/jira/browse/HDFS-7295
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>            Reporter: Anubhav Dhoot
> Currently the max lifetime of HDFS delegation tokens is hardcoded to 7 days. This is
a problem for different users of HDFS such as long running YARN apps. Users should be allowed
to optionally specify max lifetime for their tokens.

This message was sent by Atlassian JIRA

View raw message