Return-Path: X-Original-To: apmail-hadoop-common-user-archive@www.apache.org Delivered-To: apmail-hadoop-common-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AF2B39CA7 for ; Sat, 17 Mar 2012 19:37:10 +0000 (UTC) Received: (qmail 53701 invoked by uid 500); 17 Mar 2012 19:37:07 -0000 Delivered-To: apmail-hadoop-common-user-archive@hadoop.apache.org Received: (qmail 53639 invoked by uid 500); 17 Mar 2012 19:37:07 -0000 Mailing-List: contact common-user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-user@hadoop.apache.org Delivered-To: mailing list common-user@hadoop.apache.org Received: (qmail 53631 invoked by uid 99); 17 Mar 2012 19:37:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Mar 2012 19:37:07 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of harsh@cloudera.com designates 209.85.216.176 as permitted sender) Received: from [209.85.216.176] (HELO mail-qc0-f176.google.com) (209.85.216.176) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 17 Mar 2012 19:36:59 +0000 Received: by qcsd1 with SMTP id d1so678609qcs.35 for ; Sat, 17 Mar 2012 12:36:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=Ua7cJh4/mpBn3nHmDx0cmVtqF7sNehMdg1IG1JQU5WQ=; b=YiL5ro3pjNZOJDX34yF/bavOv8k9mcF4sl82G0ndJulcJDskC7sD9ioN5XEf1lER5X +KfQ+DPS1EjhjhmXfIe/aqnSYRztcFY0GTGZvmYxrCkxDVqXDXsFiIF2PcMzgGJucoY9 ExYIcRnnqC9vH5Vq++kryINSwYFC4yKIxYFDc/3imUr+y4bf+89kuRyhwhLtjFEBHNC/ hm0EYPMxhlMDDMU2Y7UeFkM+Xb/AlvYPN7RfEzLcLXKagxJ/a9uMNUBbrL8s2RmoDI12 JvgoQRlGx0q5paKS+uBFSOCxBkVPksG68m51oTYiglXhfzpDVWFx5oSIyeZIZKuhaZte EWQg== Received: by 10.224.106.66 with SMTP id w2mr9330277qao.1.1332012998733; Sat, 17 Mar 2012 12:36:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.201.104 with HTTP; Sat, 17 Mar 2012 12:36:18 -0700 (PDT) In-Reply-To: References: From: Harsh J Date: Sun, 18 Mar 2012 01:06:18 +0530 Message-ID: Subject: Re: Kerberos and Delegation Tokens To: common-user@hadoop.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlIsXerYk1MX65+icdFhZGfmsRMO0VC4/cGZdwkPTpj8UApJxv5riBxfnjgYTYKP9unTJC4 X-Virus-Checked: Checked by ClamAV on apache.org Hey Praveen, Please read Section 4 (HDFS), [Sub-point 1 - Performance] of the security design document available as an attachment at https://issues.apache.org/jira/browse/HADOOP-4487 Let us know if that clears your doubt. On Sat, Mar 17, 2012 at 4:58 PM, Praveen Sripati wrote: > Hi, > > According to the 'Hadoop - The Definitive Guide' > >> In a distributed system like HDFS or MapReduce, there are many > client-server interactions, each of which must be authenticated. For > example, an HDFS read operation will involve multiple calls to the namenode > and calls to one or more datanodes. Instead of using the three-step > Kerberos ticket exchange protocol to authenticate each call, which would > present a high load on the KDC on a busy cluster, Hadoop uses delegation > tokens to allow later authenticated access without having to contact the > KDC again. > > Once the authentication is established between the client and the NameNode, > there is no need to contact the KDC (Key Distribution Center) till the > ticket expires for any NameNode queries. So, I don't see how delegation > tokens will lower the burden on the KDC by having to contact the KDC fewer > times. > > Could someone please explain me how delegation tokens help? > > Praveen -- Harsh J