> On 9 Mar 2016, at 13:59, Jon Maron <jma...@hortonworks.com> wrote: > >> >> On Mar 8, 2016, at 11:36 PM, Tim I <t...@timisrael.com> wrote: >> >> Hi Josh, >> Basically anything with a kerberos ticket could no longer could communicate >> with anything else after 7 days due to the default config for the kerberos >> server : >> renew_lifetime = 7d >> >> The delegation token I believe was the reason for this since it didn't have >> access to the original service keytab. >> >> However, what I want to verify is if delegation tokens play any role in >> non-kerberized clusters and if there is anything else that might inhibit >> long running services in that environment. >> >> My suspicion is probably not. I'll continue testing. If anyone knows >> definitively, I'd love to hear about it. > > You are correct - delegation tokens should not play a role in a non-secure > environment.
AM/RM tokens are always used; the AM always needs to be updating this every few hours; this ought to be handled automatically