[ https://issues.apache.org/jira/browse/APEXCORE-636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tushar Gosavi updated APEXCORE-636: ----------------------------------- Summary: Ability to refresh tokens using user's own kerberos credentials in a managed environment (was: Ability to refresh tokens using user's own kerberos credentials in a managed environment where the application is launched using an admin with impersonation) > Ability to refresh tokens using user's own kerberos credentials in a managed > environment > ---------------------------------------------------------------------------------------- > > Key: APEXCORE-636 > URL: https://issues.apache.org/jira/browse/APEXCORE-636 > Project: Apache Apex Core > Issue Type: Bug > Reporter: Pramod Immaneni > Assignee: devendra tagare > Fix For: 3.6.0 > > > When applications run in secure mode, they use delegation tokens to access > Hadoop resources. These delegation tokens have a lifetime, typically 7 days, > after which they no longer work and the application will not be able to > communicate with Hadoop. Apex can automatically refresh these tokens before > they expire. To do this it requires Kerberos credentials which should be > supplied during launch time. > In a managed environment the user launching the application may not be > intended runtime user for the application. Apex today supports impersonation > to achieve this. Typically, a management application uses its own > credentials, which typically have higher privilege, to launch the application > and impersonate as a regular user so that the application runs as the regular > user. However, the admin credentials are also packaged with the application > to for refreshing the tokens described above. This can cause a security > concern because a regular user has access to a higher privilege Kerberos > credentials. > We need a way to specify alternate kerberos credentials to be used for token > refresh. Today there is a partially implemented feature for this which allows > specification of the refresh keytab using a property but not the principal. > We would need to add support for the principal as well. -- This message was sent by Atlassian JIRA (v6.3.15#6346)