hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] Updated: (HADOOP-6373) adding delegation token implementation
Date Sun, 22 Nov 2009 21:47:39 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-6373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Owen O'Malley updated HADOOP-6373:

    Attachment: token.patch

Here is a rough sketch of what I'd propose. The relevant differences:

1. The TokenIdentifiers are pulled out and made into classes. Each kind of Token will define
three classes:
  a. The TokenIdentifier class that contains the fields of the token.
  b. The TokenPicker class searches through the tokens in a user's Subject to find the token
for a given RPC connection.
  c. The SecretManager class handles the secrets that are used to create and validate the
2. The serialization of each of the TokenIdentifiers is done via standard Writable interfaces.
3. The client-side Tokens are not sub-classed. They just contain bytes for the serialized
token identifier and corresponding password. They also have a "kind", which represents what
kind of token they are, and "service", which represents which instance of the service the
token is for. For HDFS delegation tokens, they would be "hdfs.delegation" and "$namenode:$port".
4. The TokenIdentifiers are subclassed and store their values as explicit fields, which makes
using their values much easier. It will also be easier to move over to Avro when our RPC supports
it. That will simplify putting in versioning into the token identifiers.
5. Using thread local Mac's means that the servers don't need to hold a global lock while
they compute the HMAC-SHA1.
6. Dividing up the token handlers into SecretManagers means that all of the common code for
interfacing to SASL will be shared.

> adding delegation token implementation
> --------------------------------------
>                 Key: HADOOP-6373
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6373
>             Project: Hadoop Common
>          Issue Type: Sub-task
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: partial1.patch, token.patch
> The over-all design of delegation token is given in HADOOP-4343. This subtask is for
detailed design and implementation.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message