hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Owen O'Malley (JIRA)" <j...@apache.org>
Subject [jira] Commented: (HADOOP-6419) Change RPC layer to support SASL based mutual authentication
Date Mon, 01 Feb 2010 06:53:51 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-6419?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12828020#action_12828020
] 

Owen O'Malley commented on HADOOP-6419:
---------------------------------------

I can answer some of the Token questions.

TokenIdentifier is the information that is specific to that kind of token. In the case of
the HDFS delegation token, it is things like the user's name, when it was granted, the maximum
lifetime, etc. For job token's the identifier is the job id. The other part of the token,
which is the password is the hmac hash of the serialized identifier combined with the secret
key.

TokenSelector is the class that selects the token (from the set that the user has) to use
for this particular rpc connection.  For example, map 0 of my job will have a JobToken and
a HDFS DelegationToken. The JobToken will be used to connect to the TaskTracker to ask for
work and the DelegationToken will be used to connect to the NameNode. Also note that a single
job may talk to multiple NameNodes and will need a different delegation token for each.




> Change RPC layer to support SASL based mutual authentication
> ------------------------------------------------------------
>
>                 Key: HADOOP-6419
>                 URL: https://issues.apache.org/jira/browse/HADOOP-6419
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>         Attachments: c6419-26.patch, c6419-39.patch, c6419-45.patch, c6419-66.patch,
c6419-67.patch, c6419-69.patch, c6419-70.patch
>
>
> The authentication mechanism to use will be SASL DIGEST-MD5 (see RFC-2222 and RFC-2831)
or SASL GSSAPI/Kerberos. Since J2SE 5, Sun provides a SASL implementation by default. Both
our delegation token and job token can be used as credentials for SASL DIGEST-MD5 authentication.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message