[
https://issues.apache.org/jira/browse/HDFS-7295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185590#comment-14185590
]
Allen Wittenauer commented on HDFS-7295:
----------------------------------------
In general, users don't get keytabs. Instead, headless accounts are used for
long live services. This is standard Kerberos better practices. That aside:
bq. we need all nodes to have access to the keytabs
This is a solved problem. The distributed cache is already used regularly for
secret distribution.
bq. Also hadoop users now have to entrust hadoop admins with protecting their
kerberos identity.
In many/most installations, this is already true due to access to the
credential cache.
> Support arbitrary max expiration times for delegation token
> -----------------------------------------------------------
>
> Key: HDFS-7295
> URL: https://issues.apache.org/jira/browse/HDFS-7295
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Anubhav Dhoot
>
> Currently the max lifetime of HDFS delegation tokens is hardcoded to 7 days.
> This is a problem for different users of HDFS such as long running YARN apps.
> Users should be allowed to optionally specify max lifetime for their tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
