[ https://issues.apache.org/jira/browse/KAFKA-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15178887#comment-15178887 ]
Eron Wright commented on KAFKA-1696: ------------------------------------- I'd like clarification on whether renewal is possible using the delegation token for authentication, and whether an infinite expiration will be possible (with the appropriate configuration). I'm thinking of the scenario of a production-level Flink streaming job, consuming a topic in perpetuity. The client that submits the job should obtain a delegation token using their Kerberos credential, then hand the delegation token to the running job. The job should periodically renew the token(s). Ideally the delegation token may be used to authenticate the renewal request. It doesn't seem easy to have Flink use a Kerberos credential to renew it, but may be possible with a service principal of some kind. The notion that the token eventually expires seems incompatible with long-running jobs. A key purpose of delegation tokens is to avoid distributing keytabs, but how does that reconcile with expiration? > Kafka should be able to generate Hadoop delegation tokens > --------------------------------------------------------- > > Key: KAFKA-1696 > URL: https://issues.apache.org/jira/browse/KAFKA-1696 > Project: Kafka > Issue Type: Sub-task > Components: security > Reporter: Jay Kreps > Assignee: Parth Brahmbhatt > > For access from MapReduce/etc jobs run on behalf of a user. -- This message was sent by Atlassian JIRA (v6.3.4#6332)