storm-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (STORM-346) (Security) Oozie style delegation tokens for HDFS/HBase
Date Fri, 18 Jul 2014 19:26:05 GMT

    [ https://issues.apache.org/jira/browse/STORM-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14066765#comment-14066765
] 

ASF GitHub Bot commented on STORM-346:
--------------------------------------

Github user Parth-Brahmbhatt commented on the pull request:

    https://github.com/apache/incubator-storm/pull/190#issuecomment-49469937
  
    The simplest alternative seems to be no implementation for IAutoCredentials needed for
AutoHDFS to work. In other words users will not  have to specify any class for "topology.auto-credentials"
config for auto hdfs to work.
    
    User will specify AutoHDFS.java as "nimbus.credential.renewers.classes" and AutoHDFS will
only implement ICredentialsRenewer. In the prepare phase of AutoHDFS.java, which should be
called on nimbus startup, we can get the HDFS credentials.
    
    I have one clarifying question. The ICredentialsRenewer implementations seems to be loaded
by reading "nimbus.credential.renewers.classes" config at startup by nimbus. If I understand
correctly this means if we use ICredentialsRenewer the users who have a running nimbus and
wants to use AutoHDFS will have to change the config and restart the nimbus. Is that acceptable?

    
    



> (Security) Oozie style delegation tokens for HDFS/HBase
> -------------------------------------------------------
>
>                 Key: STORM-346
>                 URL: https://issues.apache.org/jira/browse/STORM-346
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Parth Brahmbhatt
>              Labels: security
>
> Oozie has the ability to fetch delegation tokens on behalf of other users by running
as a super user that can become a proxy user for almost anyone else.
> We should build one or more classes similar to AutoTGT that can fetch a delegation token
for HDFS/HBase, renew the token if needed, and then once the token is about to permanently
expire fetch a new one.
> According to some people I have talked with HBase may need to have a JIRA filed against
it so that it can pick up a new delegation token without needing to restart the process.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message