hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12563) Updated utility to create/modify token files
Date Tue, 05 Jan 2016 17:40:39 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083440#comment-15083440
] 

Larry McCay commented on HADOOP-12563:
--------------------------------------

I find this patch really interesting.

It touches on some of the pain points that I have been thinking about for some time.
I would like to see a bit more of the specific problems that are solved by this approach though.
The attached generalized_token_usecase doc is a good start but I would like to see the addressed
problems enumerated.

I also wonder whether a token acquired through dtutil would be usable by services that can
be configured to only accept this token as representation of the authentication event. Given
some trust mechanism, such as SSL (even better 2 way SSL) we should be able to cryptographically
verify and determine whether its issuer is from a trusted authority.

I'm also curious about the choice of protobuf for the token rather than JWT.
I'd like to understand the differences in portability that you see between the two.
JWT has become a very popular format for such things.

> Updated utility to create/modify token files
> --------------------------------------------
>
>                 Key: HADOOP-12563
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12563
>             Project: Hadoop Common
>          Issue Type: New Feature
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>            Assignee: Matthew Paduano
>         Attachments: HADOOP-12563.01.patch, HADOOP-12563.02.patch, HADOOP-12563.03.patch,
HADOOP-12563.04.patch, HADOOP-12563.05.patch, HADOOP-12563.06.patch, example_dtutil_commands_and_output.txt,
generalized_token_case.pdf
>
>
> hdfs fetchdt is missing some critical features and is geared almost exclusively towards
HDFS operations.  Additionally, the token files that are created use Java serializations which
are hard/impossible to deal with in other languages. It should be replaced with a better utility
in common that can read/write protobuf-based token files, has enough flexibility to be used
with other services, and offers key functionality such as append and rename. The old version
file format should still be supported for backward compatibility, but will be effectively
deprecated.
> A follow-on JIRA will deprecrate fetchdt.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message