> On Mar 8, 2016, at 11:36 PM, Tim I <t...@timisrael.com> wrote: > > Hi Josh, > Basically anything with a kerberos ticket could no longer could communicate > with anything else after 7 days due to the default config for the kerberos > server : > renew_lifetime = 7d > > The delegation token I believe was the reason for this since it didn't have > access to the original service keytab. > > However, what I want to verify is if delegation tokens play any role in > non-kerberized clusters and if there is anything else that might inhibit > long running services in that environment. > > My suspicion is probably not. I'll continue testing. If anyone knows > definitively, I'd love to hear about it.
You are correct - delegation tokens should not play a role in a non-secure environment. What was the specific nature of the issues? i.e. which component ended up seeing the expiration issue? there has been work to resolve that issue since 0.50. > > Thanks! > > Tim > On Mar 8, 2016 11:13 PM, "Josh Elser" <josh.el...@gmail.com> wrote: > >> Hi Tim, >> >> I wish I definitively knew the current state of things, but I don't >> anymore. I agree with your assessment though -- there should be no hard >> limit (the current docs state this as requirements too, >> http://slider.incubator.apache.org/docs/security.html). >> >> Was the 7-day expiration you referred to in the Slider app-master? Or the >> application Slider was running (e.g. HBase)? >> >> Tim I wrote: >> >>> Hi all, >>> >>> My previous experience with Slider is in a Kerberized cluster using Slider >>> 0.50.. It required me to restart the apps every 7 days (due to ticket >>> expiration). >>> >>> Based on what I've read, I don't think there is anything preventing a >>> non-Kerberized cluster from running apps indefinitely. Is that correct, >>> or >>> am I missing something? >>> >>> I'm currently using Hadoop 2.6.0 if it matters. >>> >>> Thanks, >>> >>> Tim >>> >>>
