hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yi Liu (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HDFS-7580) NN -> JN communication should use reusable authentication methods
Date Sun, 04 Jan 2015 01:02:11 GMT

    [ https://issues.apache.org/jira/browse/HDFS-7580?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14263689#comment-14263689
] 

Yi Liu edited comment on HDFS-7580 at 1/4/15 1:01 AM:
------------------------------------------------------

Hi [~qwertymaniac], the RPC is authenticated per connection, so for each socket connection,
the authentication happens once. It's not all requests to be carried out with a kerberos authentication
since the connections are reused for requests. So this should be not an issue.

For delegation token, it's indeed faster, but usually used in different scenarios. For example
the existing HDFS delegation token, there are several reasons, some of them are: 
*1.* It's used in MR jobs to access user's files/directories on HDFS.
*2.* Fast: it's a two-party authentication protocol only involving Client and server.


was (Author: hitliuyi):
Hi [~qwertymaniac], the RPC is authenticated per connection, so for each socket connection,
the authentication happens once. It's not all requests to be carried out with a kerberos authentication
since the connection is used for requests. So this should be not an issue.

For delegation token, it's indeed faster, but usually used in different scenarios. For example
the existing HDFS delegation token, there are several reasons, some of them are: 
*1.* It's used in MR jobs to access user's files/directories on HDFS.
*2.* Fast: it's a two-party authentication protocol only involving Client and server.

> NN -> JN communication should use reusable authentication methods
> -----------------------------------------------------------------
>
>                 Key: HDFS-7580
>                 URL: https://issues.apache.org/jira/browse/HDFS-7580
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: journal-node, namenode
>    Affects Versions: 2.5.0
>            Reporter: Harsh J
>
> It appears that NNs talk to JNs via general SaslRPC in secure mode, causing all requests
to be carried out with a kerberos authentication. This can cause delays and occasionally NN
failures if the KDC used does not respond in its default timeout period (30s, whereas the
QJM writes come with default of 20s).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message