storm-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <>
Subject [jira] [Commented] (STORM-346) (Security) Oozie style delegation tokens for HDFS/HBase
Date Fri, 18 Jul 2014 20:16:10 GMT


ASF GitHub Bot commented on STORM-346:

Github user Parth-Brahmbhatt commented on the pull request:
    Here is what I have so far:
    User can specify as "nimbus.credential.renewers.classes" and AutoHDFS will
only implement ICredentialsRenewer. In the prepare phase of, which should be
called on nimbus startup, we can get the HDFS credentials. However, I don't think the topology
submitter user will be available at that time so we will not be able to get the token on behalf
of the user but only as nimbus which I feel is unacceptable. 
    In order to actually get the credentials as topology submitter user, we either need a
new Interface that will run on nimbus when a topology is submitted as part of submitTopologyWithOpts
implementation or we can add getCredentialForUser(Map conf) method to ICredentialsRenewer
interface and call that as part of submitTopologyWithOpts. I personally prefer not to pollute
the ICredentialsRenewer interface. Let me know if you have better alternatives or prefer one
over another.
    I have one last question. The ICredentialsRenewer implementations seems to be loaded by
reading "nimbus.credential.renewers.classes" config at startup by nimbus. This means the users
who have a running nimbus and wants to use AutoHDFS or any other implementation of ICredentialsRenewer
will have to change the config and restart the nimbus. Is that acceptable? 

> (Security) Oozie style delegation tokens for HDFS/HBase
> -------------------------------------------------------
>                 Key: STORM-346
>                 URL:
>             Project: Apache Storm (Incubating)
>          Issue Type: Bug
>            Reporter: Robert Joseph Evans
>            Assignee: Parth Brahmbhatt
>              Labels: security
> Oozie has the ability to fetch delegation tokens on behalf of other users by running
as a super user that can become a proxy user for almost anyone else.
> We should build one or more classes similar to AutoTGT that can fetch a delegation token
for HDFS/HBase, renew the token if needed, and then once the token is about to permanently
expire fetch a new one.
> According to some people I have talked with HBase may need to have a JIRA filed against
it so that it can pick up a new delegation token without needing to restart the process.

This message was sent by Atlassian JIRA

View raw message