You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@apex.apache.org by Pramod Immaneni <pr...@datatorrent.com> on 2017/02/03 18:51:13 UTC
Token refresh principal support
When applications run in secure mode, they use delegation tokens to access
Hadoop resources. These delegation tokens have a lifetime, typically 7
days, after which they no longer work and the application will not be able
to communicate with Hadoop. Apex can automatically refresh these tokens
before they expire. To do this it requires Kerberos credentials which
should be supplied during launch time.
In a managed environment the user launching the application may not be
intended runtime user for the application. Apex today supports
impersonation to achieve this. Typically, a management application uses its
own credentials, which typically have higher privilege, to launch the
application and impersonate as a regular user so that the application runs
as the regular user. However, the admin credentials are also packaged with
the application to for refreshing the tokens described above. This can
cause a security concern because a regular user has access to a higher
privilege Kerberos credentials.
We need a way to specify alternate kerberos credentials to be used for
token refresh. Today there is a partially implemented feature for this
which allows specification of the refresh keytab using a property but not
the principal. We would need to add support for the principal as well. Does
anybody want to take this up?
Thanks
Re: Token refresh principal support
Posted by Pramod Immaneni <pr...@datatorrent.com>.
Here is the JIRA. Let's have further discussion on the JIRA so it is
available for reference.
https://issues.apache.org/jira/browse/APEXCORE-636
Thanks
On Fri, Feb 3, 2017 at 11:05 AM, Pramod Immaneni <pr...@datatorrent.com>
wrote:
> Sounds good. I will create a JIRA and assign to you.
>
> On Fri, Feb 3, 2017 at 11:01 AM, Devendra Tagare <
> devendrat@datatorrent.com> wrote:
>
>> Hi,
>>
>> I would like to take this up.
>>
>> Thanks,
>> Dev
>>
>> On Fri, Feb 3, 2017 at 10:51 AM, Pramod Immaneni <pr...@datatorrent.com>
>> wrote:
>>
>> > When applications run in secure mode, they use delegation tokens to
>> access
>> > Hadoop resources. These delegation tokens have a lifetime, typically 7
>> > days, after which they no longer work and the application will not be
>> able
>> > to communicate with Hadoop. Apex can automatically refresh these tokens
>> > before they expire. To do this it requires Kerberos credentials which
>> > should be supplied during launch time.
>> >
>> > In a managed environment the user launching the application may not be
>> > intended runtime user for the application. Apex today supports
>> > impersonation to achieve this. Typically, a management application uses
>> its
>> > own credentials, which typically have higher privilege, to launch the
>> > application and impersonate as a regular user so that the application
>> runs
>> > as the regular user. However, the admin credentials are also packaged
>> with
>> > the application to for refreshing the tokens described above. This can
>> > cause a security concern because a regular user has access to a higher
>> > privilege Kerberos credentials.
>> >
>> > We need a way to specify alternate kerberos credentials to be used for
>> > token refresh. Today there is a partially implemented feature for this
>> > which allows specification of the refresh keytab using a property but
>> not
>> > the principal. We would need to add support for the principal as well.
>> Does
>> > anybody want to take this up?
>> >
>> > Thanks
>> >
>>
>
>
Re: Token refresh principal support
Posted by Pramod Immaneni <pr...@datatorrent.com>.
Sounds good. I will create a JIRA and assign to you.
On Fri, Feb 3, 2017 at 11:01 AM, Devendra Tagare <de...@datatorrent.com>
wrote:
> Hi,
>
> I would like to take this up.
>
> Thanks,
> Dev
>
> On Fri, Feb 3, 2017 at 10:51 AM, Pramod Immaneni <pr...@datatorrent.com>
> wrote:
>
> > When applications run in secure mode, they use delegation tokens to
> access
> > Hadoop resources. These delegation tokens have a lifetime, typically 7
> > days, after which they no longer work and the application will not be
> able
> > to communicate with Hadoop. Apex can automatically refresh these tokens
> > before they expire. To do this it requires Kerberos credentials which
> > should be supplied during launch time.
> >
> > In a managed environment the user launching the application may not be
> > intended runtime user for the application. Apex today supports
> > impersonation to achieve this. Typically, a management application uses
> its
> > own credentials, which typically have higher privilege, to launch the
> > application and impersonate as a regular user so that the application
> runs
> > as the regular user. However, the admin credentials are also packaged
> with
> > the application to for refreshing the tokens described above. This can
> > cause a security concern because a regular user has access to a higher
> > privilege Kerberos credentials.
> >
> > We need a way to specify alternate kerberos credentials to be used for
> > token refresh. Today there is a partially implemented feature for this
> > which allows specification of the refresh keytab using a property but not
> > the principal. We would need to add support for the principal as well.
> Does
> > anybody want to take this up?
> >
> > Thanks
> >
>
Re: Token refresh principal support
Posted by Devendra Tagare <de...@datatorrent.com>.
Hi,
I would like to take this up.
Thanks,
Dev
On Fri, Feb 3, 2017 at 10:51 AM, Pramod Immaneni <pr...@datatorrent.com>
wrote:
> When applications run in secure mode, they use delegation tokens to access
> Hadoop resources. These delegation tokens have a lifetime, typically 7
> days, after which they no longer work and the application will not be able
> to communicate with Hadoop. Apex can automatically refresh these tokens
> before they expire. To do this it requires Kerberos credentials which
> should be supplied during launch time.
>
> In a managed environment the user launching the application may not be
> intended runtime user for the application. Apex today supports
> impersonation to achieve this. Typically, a management application uses its
> own credentials, which typically have higher privilege, to launch the
> application and impersonate as a regular user so that the application runs
> as the regular user. However, the admin credentials are also packaged with
> the application to for refreshing the tokens described above. This can
> cause a security concern because a regular user has access to a higher
> privilege Kerberos credentials.
>
> We need a way to specify alternate kerberos credentials to be used for
> token refresh. Today there is a partially implemented feature for this
> which allows specification of the refresh keytab using a property but not
> the principal. We would need to add support for the principal as well. Does
> anybody want to take this up?
>
> Thanks
>