hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider
Date Tue, 01 Jul 2014 20:56:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14049317#comment-14049317
] 

Larry McCay commented on HADOOP-10769:
--------------------------------------

That isn't exactly accurate, it is required by a distributed implementation that requires
delegation tokens - which is an anti-pattern in my mind. A better approach is to get all keys
upfront and add them to the credentials object as is done with delegation tokens - I understand
that this has been discussed on the other jiras but that doesn't mean that all other implementations
should be required to have it. I also don't like that HDFS will always call this and have
to deal with null when a different provider is configured. It is an abstraction leak.

I don't want to debate whether delegation tokens should be used or not - I'd like to pursue
other ways for you to get the token without changing the provider interface to explicitly
call it out as a requirement.

Perhaps, we could add a call for creating an execution context where we pass in some properties
and get back a context with additional properties.

{code}
    public HashMap<String, Object> getKeyProviderContext(HashMap<String,Object>
properties);
{code}

This would be essentially a means to get a provider some callbacks into the execution environment
and a way to pass provider specific context back to the execution environment.

This isn't completely thought through but this is the sort of direction that I would like
rather than making implementation details part of the provider interface. What do you think?

> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the KeyProvider
from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message