workflow for password changes of auto created service principals for hive and hdfs

[maxgruber19]

when creating a kerberized hive or hdfs cluster the service principals hive/hive.namespace.xy for hive and nn/hdfs.namespace.xy, dn/hdfs.namespace.xy, jn/hdfs.namespace.xy for hdfs will be created automatically and get an initial password at creation time. rolling those passwords would be great to satisfy security guidelines that require yearly or monthly password changes of the service principals.

the complexity might hide in keeping the clusters safe and available while rolling the password because there might be clients talking to hdfs permanently. these clients should not recognise any change of passwords

this should work especially for external ldap systems centrally provisioned by a certain team.

best case for a user would be that the password is automatically rolled without any human action similar to rolling certificates. beyond that comfort a fully automated routine would enable user to decrease the password lifetime to a minimum.

@soenkeliebau as mentioned today