hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-8779) Use tokens regardless of authentication type
Date Tue, 23 Oct 2012 22:34:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482763#comment-13482763
] 

Kan Zhang commented on HADOOP-8779:
-----------------------------------

bq. That's not how the token routines are conditionalized today. Some simply return null if
isSecurityEnabled is false.

Today, tokens are only issued when Kerberos is used and using Kerberos is synonymous to security
being turned on. Hence isSecurityEnabled is used as a proxy for checking if Kerberos is used.
When Kerberos is not the only initial auth method to be paired with tokens, the checking should
be "is the client authenticated using the configured initial auth method(s)"?

bq. I don't believe it's the filesystem's responsibility to decide if a token can be issued.


The token is called NN delegation token. It's a credential that NN generates and manages for
its clients to connect back. It is the sole responsibility of NN to decide whether it should
issue, expire, or validate/accept a token for a given client. You lost me here. :-)

bq. If the user/job-client requests a token, then it should try to issue one.

Why? If SIMPLE instead of TOKEN is configured as subsequent auth method, why issue a token
that will never be used? Simplifying code is good, but not to the extend that unnecessary
objects are created and exchanged at runtime. 

bq. We are not in stark opposition on this point. I'd rather we don't have multiple code paths,
but we can add conditionals to the job client to enable/disable token fetching, and to the
RPC client to only use tokens to allow SIMPLE + SIMPLE.

I don't think adding conditionals to the job client is needed. A config option for subsequent
auth method should suffice for now. This option decides whether the job client should fetch
tokens and whether RPC client for jobs should use tokens. It also tells NN whether it should
issue tokens.
                
> Use tokens regardless of authentication type
> --------------------------------------------
>
>                 Key: HADOOP-8779
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8779
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs, security
>    Affects Versions: 3.0.0, 2.0.2-alpha
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> Security is a combination of authentication and authorization (tokens).  Authorization
may be granted independently of the authentication model.  Tokens should be used regardless
of simple or kerberos authentication.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message