hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-14556) S3A to support Delegation Tokens
Date Mon, 15 Oct 2018 10:01:00 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Steve Loughran updated HADOOP-14556:
------------------------------------
    Status: Patch Available  (was: Open)

Patch 012; checkstyle and weekly update patch

* adding options to core-default.xml
* address previous patch javadoc issues

main change is that the session token will lift and forward any existing session credentials
its auth chain provides. The standard DT login chain is "simple" (full keys in config options)
and env vars, but if the env vars are session vars or the chain is configured to use Temporary
credentials then those creds are marshalled into the DT *after a warning is logged*

the warning & docs cover a limitation of forwarding: the token life is now that of the
existing credentials, which we don't know. But: it allows people who only have session creds
(e.g. issued by 2FA) to pass them on as DTs.

role DTs don't handle this: you can't call STS.assumeRole with session tokens

TODO
* add a test for session credential forwarding
* salvage something from the MR test which uses a mock yarn client for job submit, so avoids
the challenge of getting a secure mini yarn cluster up.
* only log that forwarding once

> S3A to support Delegation Tokens
> --------------------------------
>
>                 Key: HADOOP-14556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14556
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 3.2.0
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>         Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch, HADOOP-14556-003.patch,
HADOOP-14556-004.patch, HADOOP-14556-005.patch, HADOOP-14556-007.patch, HADOOP-14556-008.patch,
HADOOP-14556-009.patch, HADOOP-14556-010.patch, HADOOP-14556-010.patch, HADOOP-14556-011.patch,
HADOOP-14556-012.patch, HADOOP-14556.oath-002.patch, HADOOP-14556.oath.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; these
will be saved in the token and  marshalled with jobs
> * A new authentication provider will look for a token for the current user and authenticate
the user if found
> This will not support renewals; the lifespan of a token will be limited to the initial
duration. Also, as you can't request an STS token from a temporary session, IAM instances
won't be able to issue tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message