hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider
Date Fri, 04 Jul 2014 01:13:33 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052066#comment-14052066

Aaron T. Myers commented on HADOOP-10769:

bq. Do you think that we could make it more generic though?

I'm sure we could, but I suggest we cross that bridge when we come to it. Hadoop currently
does delegated authentication via {{DelegationTokens}} everywhere, so let's do something to
support that and move on. If in the future we have need for other stuff, we'll amend the API
appropriately. Seems quite premature to me to attempt to design a generic API when we don't
have any concrete alternate use-cases.

bq. Out of curiosity, why does it return an array of Tokens?

The various callers use it for different things, e.g. in some places just to log which tokens
were renewed. I don't think it's actually integral to the functioning of the API, just a convenience.

bq. If we were to open it up to include other things, like keys or passwords, etc then we
could just make it an add credentials method call:<snip>

In general I'm really leery of a {{HashMap<String,Object>}}-based API. That seems quite
fragile to me, and very overly-generic for the common use case of just dealing with DTs.

How about as a way forward with this JIRA we go with the "{{public Token<?>[] addDelegationTokens(final
String renewer, Credentials credentials)}}" added to {{KeyProvider}} as I proposed, and revisit
a more generic API in the future when we actually have a concrete need for it? We could then
perhaps later add a "{{addAdditionalCredentials}}" API call or something to accommodate non-DT-based
implementations. It is *soft*ware, after all. :)

> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
> The KeyProvider API needs to return delegation tokens to enable access to the KeyProvider
from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.

This message was sent by Atlassian JIRA

View raw message