[jira] [Resolved] (APEXCORE-636) Ability to refresh tokens using user's own kerberos credentials in a managed environment where the application is launched using an admin with impersonation

Fri, 24 Feb 2017 07:20:11 -0800 

     [ 
https://issues.apache.org/jira/browse/APEXCORE-636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Pramod Immaneni resolved APEXCORE-636.
--------------------------------------
    Resolution: Fixed

> Ability to refresh tokens using user's own kerberos credentials in a managed 
> environment where the application is launched using an admin with 
> impersonation
> ------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: APEXCORE-636
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-636
>             Project: Apache Apex Core
>          Issue Type: Bug
>            Reporter: Pramod Immaneni
>            Assignee: devendra tagare
>
> When applications run in secure mode, they use delegation tokens to access 
> Hadoop resources. These delegation tokens have a lifetime, typically 7 days, 
> after which they no longer work and the application will not be able to 
> communicate with Hadoop. Apex can automatically refresh these tokens before 
> they expire. To do this it requires Kerberos credentials which should be 
> supplied during launch time.
> In a managed environment the user launching the application may not be 
> intended runtime user for the application. Apex today supports impersonation 
> to achieve this. Typically, a management application uses its own 
> credentials, which typically have higher privilege, to launch the application 
> and impersonate as a regular user so that the application runs as the regular 
> user. However, the admin credentials are also packaged with the application 
> to for refreshing the tokens described above. This can cause a security 
> concern because a regular user has access to a higher privilege Kerberos 
> credentials.
> We need a way to specify alternate kerberos credentials to be used for token 
> refresh. Today there is a partially implemented feature for this which allows 
> specification of the refresh keytab using a property but not the principal. 
> We would need to add support for the principal as well.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to