hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Santhosh G Nayak (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14640) Azure: Support affinity for service running on localhost and reuse SPNEGO hadoop.auth cookie for authorization, SASKey and delegation token generation
Date Thu, 13 Jul 2017 16:00:00 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Santhosh G Nayak updated HADOOP-14640:
--------------------------------------
    Attachment: HADOOP-14640.2.patch

Thanks [~jnp] for reviewing the patch.

Yes. {{AuthenticatedURL.Token}} does not provide the expiry time of the token. So, introduced
{{SpnegoToken}} class to represent {{SPNEGO}} token, which provides information about the
validity of the token along with the token itself.
Token used in {{hadoop.auth}} cookie follows SPNEGO standard and will have expiry time (represented
as {{e}}) in it. So, I think it will be better, if we can reuse that information, instead
of setting different expiry time on our end and treating it opaque. 

Regarding {{expiryTime > System.currentTimeMillis() + 1000 * 60 * 5L}}, adding 5 minutes
buffer to proactively get new token to save additional network calls of requests which can
definitely fail because of the token expiry and to eliminate any issues which can arise because
of time difference between machines (if any).

I have attached another patch addressing the checkstyle related comments and a bug fix where
impersonation context is getting lost in {{SecureWasbRemoteCallHelper.getHttpRequest()}} as
it is being invoked inside {{ugi.doAs()}}.

> Azure: Support affinity for service running on localhost and reuse SPNEGO hadoop.auth
cookie for authorization, SASKey and delegation token generation
> ------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14640
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14640
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: fs/azure
>    Affects Versions: 2.9.0
>            Reporter: Santhosh G Nayak
>            Assignee: Santhosh G Nayak
>              Labels: security
>         Attachments: HADOOP-14640.1.patch, HADOOP-14640.2.patch
>
>
> Currently, {{WasbRemoteCallHelper}} can be configured to talk to comma separated list
of URLs for authorization, SASKey generation and delegation token generation.
> To improve the performance, if service runs on the local machine, give it first preference
over the other configured list of URLs. 
> Currently, {{WasbRemoteCallHelper}} generates {{hadoop.auth}} cookie for every request
by talking to the remote service, before making actual rest requests.
> The proposal is to reuse the {{hadoop.auth}} cookie for subsequent requests from same
{{WasbRemoteCallHelper}} object until its expiry time. 



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message