You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Alok Lal (JIRA)" <ji...@apache.org> on 2015/10/08 07:10:27 UTC
[jira] [Commented] (RANGER-686) Allow specifying keytabs in Ranger
repositories
[ https://issues.apache.org/jira/browse/RANGER-686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948084#comment-14948084 ]
Alok Lal commented on RANGER-686:
---------------------------------
Use case is valid and good one for Ranger to address. However, let me play devils advocate and pose the following questions:
- Won't sites' best practices also require rotation of keytab passwords periodically for same reasons that drive them to change passwords?
- Usually machines are pretty locked down. How would we get the keytabs up to the ranger machines?
- We would have to deal with ranger HA deployments, i.e. when a keytab is uploaded it would have to be made available on all hosts running ranger-admin.
- Would having a keytabs lying on the disk provide another attack vector? Today the passwords are kept in the database tables that store service config which is protected by usual means. Now, however, we would have to also protect keytabs locations. Thought his would be no different from keytabs stored on other non-ranger machines.
> Allow specifying keytabs in Ranger repositories
> -----------------------------------------------
>
> Key: RANGER-686
> URL: https://issues.apache.org/jira/browse/RANGER-686
> Project: Ranger
> Issue Type: New Feature
> Reporter: Velmurugan Periasamy
> Assignee: Gautam Borad
> Fix For: 0.6.0
>
>
> PROBLEM: Currently you have to specify a principal and password when configuring Ranger repositories. It would be useful to allow specifying a principal and keytab instead of password for authenticating the lookup-client user.
> USE CASE: Sites which have regular password expiration will experience the lookup clients fail routinely. Also specifying keytab instead of password is considered a best practice.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)