hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8779) Use tokens regardless of authentication type
Date Mon, 22 Oct 2012 16:40:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481489#comment-13481489
] 

Daryn Sharp commented on HADOOP-8779:
-------------------------------------

bq. The deeper issue is whether the client should make its decision on what auth method to
use based on configuration, or on what credentials are currently available. I think the former
is better and easier to reason.

I think we need to be clear on which client we are discussing to avoid confusion.  The is
the low-level RCP client uses a token if available, else kerberos or simple.  Then there's
a high-level client, like the job client, that needs to determine if it should get a token.

bq. If the required credentials are not available, it should complain rather than automatically
switch to make a different type of connection (a task switching from token to SIMPLE would
defeat your testing purpose)

True, it would defeat the purpose, which is why I've long considered whether job submission
should set a conf key that forces a task to only use tokens which is what I think you are
also suggesting.  This would help with secure clusters to prevent the user from seeing a large
confusing sasl exception from the rpc client when a token is unavailable.  I planned to raise
this issue when we get to MR's job client deciding if it get should get tokens.

I agree these are all very valid questions that we need to address.  I hope these don't block
HDFS-4056 and HADOOP-8785 (not posted because it depends on HDFS-4056).  These jiras are incremental
steps forward that are independent from this larger discussion.  These jiras will not change
job submission or task execution behavior until the job client is changed.


                
> Use tokens regardless of authentication type
> --------------------------------------------
>
>                 Key: HADOOP-8779
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8779
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs, security
>    Affects Versions: 3.0.0, 2.0.2-alpha
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> Security is a combination of authentication and authorization (tokens).  Authorization
may be granted independently of the authentication model.  Tokens should be used regardless
of simple or kerberos authentication.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message