Hi, Does the Sentry Service provide delegation tokens for processes without Kerberos credentials to communicate with it (from YARN containers).
Use case: We have programs running in YARN accessing some entities on whom authorization is enforced using Apache Sentry. There is a master process that can communicate with Sentry just fine using its Kerberos credentials. We have some level of caching implemented for ACLs as well, so we don't have to hit Sentry for every authorization request. However, given that this is a security feature, the cache needs to be updated very frequently. For updating this cache, going via the master every single time will create a bottleneck. So we wanted to explore if there was a way if a dedicated service running in YARN containers (not every program, but a dedicated service) can communicate with Sentry using delegation tokens. Exposing the master's kerberos credentials to such a service is not an option because it would lead to a security loophole. This would be similar to what KMS offers via https://issues.apache.org/jira/browse/HADOOP-10769. Thanks in advance, Bhooshan
