hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14556) S3A to support Delegation Tokens
Date Fri, 25 Aug 2017 17:13:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16141904#comment-16141904
] 

Daryn Sharp commented on HADOOP-14556:
--------------------------------------

We've been running with s3 session tokens as delegation tokens for about a year.  Would have
pushed it back to community except I didn't have time to figure out how to write tests.  There
are a number of blockers with the currently posted patch:

I do notice the semantics of getDelegationToken are completely broken.  It must unconditionally
fetch a token, regardless of whether the UGI contains one.

The client morphs based on the current user.  This violates the client requirement to always
remain as the user when it was instantiated.  Security flaw.

This also doesn't consider that proxy users need special treatment to avoid being tricked
into using the wrong credentials.  Security flaw.

I'll toss up my patch today or monday for your consideration.

> S3A to support Delegation Tokens
> --------------------------------
>
>                 Key: HADOOP-14556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14556
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>         Attachments: HADOOP-14556-001.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; these
will be saved in the token and  marshalled with jobs
> * A new authentication provider will look for a token for the current user and authenticate
the user if found
> This will not support renewals; the lifespan of a token will be limited to the initial
duration. Also, as you can't request an STS token from a temporary session, IAM instances
won't be able to issue tokens.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message