hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anubhav Dhoot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-7295) Support arbitrary max expiration times for delegation token
Date Mon, 27 Oct 2014 18:40:34 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185582#comment-14185582
] 

Anubhav Dhoot commented on HDFS-7295:
-------------------------------------

Steve thanks for bringing that up the keytab solution, which we debated for a while.
My concern is the damage with a stolen keytab is far greater than the HDFS token. Its universal
kerberos identity versus something that works only with HDFS. Ops team might consider a longer
delegation token to be lower risk than having a more valuable asset - users's keytab - be
exposed on a wide surface area (we need all nodes to have access to the keytabs). Also hadoop
users now have to entrust hadoop admins with protecting their kerberos identity.

> Support arbitrary max expiration times for delegation token
> -----------------------------------------------------------
>
>                 Key: HDFS-7295
>                 URL: https://issues.apache.org/jira/browse/HDFS-7295
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>            Reporter: Anubhav Dhoot
>
> Currently the max lifetime of HDFS delegation tokens is hardcoded to 7 days. This is
a problem for different users of HDFS such as long running YARN apps. Users should be allowed
to optionally specify max lifetime for their tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message