Pramod Immaneni created APEXCORE-636:
----------------------------------------

             Summary: Ability to refresh tokens using user's own kerberos 
credentials in a managed environment where the application is launched using an 
admin with impersonation
                 Key: APEXCORE-636
                 URL: https://issues.apache.org/jira/browse/APEXCORE-636
             Project: Apache Apex Core
          Issue Type: Bug
            Reporter: Pramod Immaneni


When applications run in secure mode, they use delegation tokens to access 
Hadoop resources. These delegation tokens have a lifetime, typically 7 days, 
after which they no longer work and the application will not be able to 
communicate with Hadoop. Apex can automatically refresh these tokens before 
they expire. To do this it requires Kerberos credentials which should be 
supplied during launch time.

In a managed environment the user launching the application may not be intended 
runtime user for the application. Apex today supports impersonation to achieve 
this. Typically, a management application uses its own credentials, which 
typically have higher privilege, to launch the application and impersonate as a 
regular user so that the application runs as the regular user. However, the 
admin credentials are also packaged with the application to for refreshing the 
tokens described above. This can cause a security concern because a regular 
user has access to a higher privilege Kerberos credentials.

We need a way to specify alternate kerberos credentials to be used for token 
refresh. Today there is a partially implemented feature for this which allows 
specification of the refresh keytab using a property but not the principal. We 
would need to add support for the principal as well.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to