hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8779) Use tokens regardless of authentication type
Date Tue, 23 Oct 2012 14:01:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482330#comment-13482330

Daryn Sharp commented on HADOOP-8779:

bq. {quote}3. Remove all the conditionals from the filesystems for whether tokens can be acquired
and/or used{quote}
bq. I'm not sure this should be done, since the filesystem still needs to decide whether a
token can be issued based on whether the client is authenticated using the configured initial
auth method.

That's not how the token routines are conditionalized today.  Some simply return null if {{isSecurityEnabled}}
is false.

I don't believe it's the filesystem's responsibility to decide if a token can be issued. 
If the user/job-client requests a token, then it should try to issue one.  This will help
solve incompatibilities where secure & insecure clusters cannot be accessed with the same
client config.

bq.  I think this is where we have differences. In my view, when SIMPLE + SIMPLE is configured,
there should be no tokens issued or submitted (as it is today).

We are not in stark opposition on this point.  I'd rather we don't have multiple code paths,
but we can add conditionals to the job client to enable/disable token fetching, and to the
RPC client to only use tokens to allow SIMPLE + SIMPLE.
> Use tokens regardless of authentication type
> --------------------------------------------
>                 Key: HADOOP-8779
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8779
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs, security
>    Affects Versions: 3.0.0, 2.0.2-alpha
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
> Security is a combination of authentication and authorization (tokens).  Authorization
may be granted independently of the authentication model.  Tokens should be used regardless
of simple or kerberos authentication.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message