[
https://issues.apache.org/jira/browse/HDFS-7295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14186420#comment-14186420
]
Haohui Mai commented on HDFS-7295:
----------------------------------
Given the fact that in Hadoop there is no way to revoke a DT, expiration time
serves as the last defense of stole tokens.
>From a security point of view, it is a horrible idea to have unlimited
>expiration time on DT without revocation mechanisms. It breaks the basic
>design principle of building a capability-based system, even if you make it
>configurable.
I don't think the current proposal is the right direction. I think the the
comments of both [~ste...@apache.org] and [~aw] make sense.
> Support arbitrary max expiration times for delegation token
> -----------------------------------------------------------
>
> Key: HDFS-7295
> URL: https://issues.apache.org/jira/browse/HDFS-7295
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Anubhav Dhoot
> Assignee: Anubhav Dhoot
>
> Currently the max lifetime of HDFS delegation tokens is hardcoded to 7 days.
> This is a problem for different users of HDFS such as long running YARN apps.
> Users should be allowed to optionally specify max lifetime for their tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
