hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kan Zhang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-4056) Always start the NN's SecretManager
Date Mon, 22 Oct 2012 21:12:12 GMT

    [ https://issues.apache.org/jira/browse/HDFS-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481799#comment-13481799

Kan Zhang commented on HDFS-4056:

bq. Bottom line is the server should always be able to figure out by itself whether a connection
is an initial connection or a subsequent one, based on the auth method (and type of credentials)
used, since it needs to decide on whether tokens can be issued for that connection.

The server already uses the auth the client sends in the rpc connection header to determine
the sasl method the client wants to use. The auth to the server then determines the UGI's
auth. The NN does not allow a UGI auth of token to issue, renew, or cancel tokens.

I don't think you get my point. It was a general comment. Since only connections authenticated
using the initial auth method(s) are allowed to fetch tokens (I assume we keep that behavior),
the server needs to be able to make a determination on whether a connection is authenticated
as an initial connection or a subsequent one. For example, if we were to support SIMPLE +
TOKEN and SIMPLE + SIMPLE simultaneously (I think not), how could the server decide a connection
authenticated with SIMPLE to be an initial connection or not?

bq. If we want to allow compatibility with older clients, then both SIMPLE + SIMPLE and SIMPLE
+ TOKEN must both be supported. Enabling the option of SIMPLE + TOKEN means we need the secret
manager enabled which is the aim of this patch.

I don't see a use case where SIMPLE + SIMPLE and SIMPLE + TOKEN need to be enabled simultaneously.
Can you elaborate? On the other hand, in the SIMPLE + SIMPLE use case I explained above, it
is desirable to be able to turn off any token related stuff (we can do that today).
> Always start the NN's SecretManager
> -----------------------------------
>                 Key: HDFS-4056
>                 URL: https://issues.apache.org/jira/browse/HDFS-4056
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: name-node
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HDFS-4056.patch
> To support the ability to use tokens regardless of whether kerberos is enabled, the NN's
secret manager should always be started.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message