hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14556) S3A to support Delegation Tokens
Date Fri, 15 Dec 2017 19:09:00 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Steve Loughran updated HADOOP-14556:
------------------------------------
    Attachment: HADOOP-14556-002.patch

Patch 002; in sync with trunk. FileContext tests still failing, as paths returned in getFileStatus/list,
etc, don't include the port, that is: they don't have the same URI as the canonical name.

Daryn, if yo've got your patch ready, I'd like to see it to see how we can merge things. 

For this DT I want to 
* add: encryption settings,
* forward session credentials
* pick up env vars and use them if present. Gives you automatic marshalling. Issue: risk of
fun with spark here, as it propagates the env vars already. These DTs would take priority
for the specific FSs DTs get picked up for. I guess we can conclude that if you enable DTs,
you want it
* support assumed roles, so that the client will talk to STS to assume a role before creating
the client, and use that for local s3, DDB access, and pass in as the DT credentials

> S3A to support Delegation Tokens
> --------------------------------
>
>                 Key: HADOOP-14556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14556
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.1
>            Reporter: Steve Loughran
>         Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; these
will be saved in the token and  marshalled with jobs
> * A new authentication provider will look for a token for the current user and authenticate
the user if found
> This will not support renewals; the lifespan of a token will be limited to the initial
duration. Also, as you can't request an STS token from a temporary session, IAM instances
won't be able to issue tokens.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message