hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider
Date Thu, 03 Jul 2014 17:39:34 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051744#comment-14051744
] 

Larry McCay commented on HADOOP-10769:
--------------------------------------

That seems pretty convoluted.

Let's step back a second - so that the full usecase is clear.

* consumers of the managed keys will need access to them from services/tasks at execution
time
* some of the keys will be unknown until file access time
* so, at job submission time KMS delegation tokens are needed so that the services/tasks can
access the required keys as the submitting user later as they discover the need for the specific
keys from HDFS ext attrs
* therefore the delegation tokens have to be in the credentials file
* they will also need to be made available to the KMSClientKeyProvider to include in the request
to the KMS

So, we need:

1. the ability to get the KMS delegation token at job submission time
2. the ability to add it to and get it from the credentials file (already available in Credentials)
    - though it seems that this has to be done by the consuming code not the KMSClientKeyProvider
code
3. the ability to supply the delegation token to the KMSClientKeyProvider when requesting
keys

My questions:

A. For #1 can't we have a standalone DelegationTokenClient component - especially since there
is another jira for refactoring delegation token support out into common to be more reusable?
Such a client could then potentially be used inside the KMSClientKeyProvider.
B. Wouldn't it be better if providers that know they need delegation tokens were able to handle
#2 themselves?
C. How is #3 above going to be handled using the current interfaces - I don't see how it is
being added to the interaction currently?
D. If the KMSClientKeyProvider had access to the credentials object ( already have access
to UserKeyProvider) or some other execution context itself then could that be a way that #3
could be addressed?


> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the KeyProvider
from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message