ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alok Lal (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-686) Allow specifying keytabs in Ranger repositories
Date Thu, 08 Oct 2015 05:10:27 GMT

    [ https://issues.apache.org/jira/browse/RANGER-686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948084#comment-14948084

Alok Lal commented on RANGER-686:

Use case is valid and good one for Ranger to address.  However, let me play devils advocate
and pose the following questions:
- Won't sites' best practices also require rotation of keytab passwords periodically for same
reasons that drive them to change passwords?
- Usually machines are pretty locked down.  How would we get the keytabs up to the ranger
- We would have to deal with ranger HA deployments, i.e. when a keytab is uploaded it would
have to be made available on all hosts running ranger-admin.
- Would having a keytabs lying on the disk provide another attack vector?  Today the passwords
are kept in the database tables that store service config which is protected by usual means.
 Now, however, we would have to also protect keytabs locations.  Thought his would be no different
from keytabs stored on other non-ranger machines.

> Allow specifying keytabs in Ranger repositories
> -----------------------------------------------
>                 Key: RANGER-686
>                 URL: https://issues.apache.org/jira/browse/RANGER-686
>             Project: Ranger
>          Issue Type: New Feature
>            Reporter: Velmurugan Periasamy
>            Assignee: Gautam Borad
>             Fix For: 0.6.0
> PROBLEM: Currently you have to specify a principal and password when configuring Ranger
repositories.  It would be useful to allow specifying a principal and keytab instead of password
for authenticating the lookup-client user.
> USE CASE:  Sites which have regular password expiration will experience the lookup clients
fail routinely.  Also specifying keytab instead of password is considered a best practice.

This message was sent by Atlassian JIRA

View raw message