hadoop-common-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harsh J <ha...@cloudera.com>
Subject Re: Kerberos and Delegation Tokens
Date Sat, 17 Mar 2012 19:36:18 GMT
Hey Praveen,

Please read Section 4 (HDFS), [Sub-point 1 - Performance] of the
security design document available as an attachment at
https://issues.apache.org/jira/browse/HADOOP-4487

Let us know if that clears your doubt.

On Sat, Mar 17, 2012 at 4:58 PM, Praveen Sripati
<praveensripati@gmail.com> wrote:
> Hi,
>
> According to the 'Hadoop - The Definitive Guide'
>
>> In a distributed system like HDFS or MapReduce, there are many
> client-server interactions, each of which must be authenticated. For
> example, an HDFS read operation will involve multiple calls to the namenode
> and calls to one or more datanodes. Instead of using the three-step
> Kerberos ticket exchange protocol to authenticate each call, which would
> present a high load on the KDC on a busy cluster, Hadoop uses delegation
> tokens to allow later authenticated access without having to contact the
> KDC again.
>
> Once the authentication is established between the client and the NameNode,
> there is no need to contact the KDC (Key Distribution Center) till the
> ticket expires for any NameNode queries. So, I don't see how delegation
> tokens will lower the burden on the KDC by having to contact the KDC fewer
> times.
>
> Could someone please explain me how delegation tokens help?
>
> Praveen



-- 
Harsh J

Mime
View raw message