[jira] [Updated] (APEXCORE-636) Ability to refresh tokens using user's own kerberos credentials in a managed environment

Tue, 25 Apr 2017 23:38:20 -0700 

     [ 
https://issues.apache.org/jira/browse/APEXCORE-636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tushar Gosavi updated APEXCORE-636:
-----------------------------------
    Summary: Ability to refresh tokens using user's own kerberos credentials in 
a managed environment  (was: Ability to refresh tokens using user's own 
kerberos credentials in a managed environment where the application is launched 
using an admin with impersonation)

> Ability to refresh tokens using user's own kerberos credentials in a managed 
> environment
> ----------------------------------------------------------------------------------------
>
>                 Key: APEXCORE-636
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-636
>             Project: Apache Apex Core
>          Issue Type: Bug
>            Reporter: Pramod Immaneni
>            Assignee: devendra tagare
>             Fix For: 3.6.0
>
>
> When applications run in secure mode, they use delegation tokens to access 
> Hadoop resources. These delegation tokens have a lifetime, typically 7 days, 
> after which they no longer work and the application will not be able to 
> communicate with Hadoop. Apex can automatically refresh these tokens before 
> they expire. To do this it requires Kerberos credentials which should be 
> supplied during launch time.
> In a managed environment the user launching the application may not be 
> intended runtime user for the application. Apex today supports impersonation 
> to achieve this. Typically, a management application uses its own 
> credentials, which typically have higher privilege, to launch the application 
> and impersonate as a regular user so that the application runs as the regular 
> user. However, the admin credentials are also packaged with the application 
> to for refreshing the tokens described above. This can cause a security 
> concern because a regular user has access to a higher privilege Kerberos 
> credentials.
> We need a way to specify alternate kerberos credentials to be used for token 
> refresh. Today there is a partially implemented feature for this which allows 
> specification of the refresh keytab using a property but not the principal. 
> We would need to add support for the principal as well.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to