[
https://issues.apache.org/jira/browse/HDFS-7295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185582#comment-14185582
]
Anubhav Dhoot commented on HDFS-7295:
-------------------------------------
Steve thanks for bringing that up the keytab solution, which we debated for a
while.
My concern is the damage with a stolen keytab is far greater than the HDFS
token. Its universal kerberos identity versus something that works only with
HDFS. Ops team might consider a longer delegation token to be lower risk than
having a more valuable asset - users's keytab - be exposed on a wide surface
area (we need all nodes to have access to the keytabs). Also hadoop users now
have to entrust hadoop admins with protecting their kerberos identity.
> Support arbitrary max expiration times for delegation token
> -----------------------------------------------------------
>
> Key: HDFS-7295
> URL: https://issues.apache.org/jira/browse/HDFS-7295
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Anubhav Dhoot
>
> Currently the max lifetime of HDFS delegation tokens is hardcoded to 7 days.
> This is a problem for different users of HDFS such as long running YARN apps.
> Users should be allowed to optionally specify max lifetime for their tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
