hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HDFS-9525) hadoop utilities need to support provided delegation tokens
Date Fri, 22 Jan 2016 21:42:39 GMT

    [ https://issues.apache.org/jira/browse/HDFS-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15113149#comment-15113149
] 

Daryn Sharp commented on HDFS-9525:
-----------------------------------

-1 No, feedback was not addressed, a bug was introduced, and the tests were changed to verify
the new bug occurs.  Strikethru on the one point addressed.

bq. -If a code change is necessary, UGI should use Configuration#getTrimmedStrings- and unconditionally
call Credentials.readTokenStorageFile instead of allowing the user to specify an invalid setting.
Only webhdfs related change is WebHdfsFileSystem.canRefreshDelegationToken should default
to true.

The last and most important point was overlooked and webhdfs is broken.  The tests used to:
# call getfilestatus and verify a token is sent
# clear the token with the comment {{// wipe out internal token to simulate auth always required}}
# call getfilestatus again to specifically verify no token is sent - because auth is expected

This patch changed #3 to verify the opposite behavior:  the same token as #1 is passed.  Again,
just change {{this.canRefreshDelegationToken = UserGroupInformation.isSecurityEnabled();}}
to {{this.canRefreshDelegationToken = true;}} and it will cause webhdfs to look for a token
even if security is off.  Nothing else in webhdfs should require a change.


> hadoop utilities need to support provided delegation tokens
> -----------------------------------------------------------
>
>                 Key: HDFS-9525
>                 URL: https://issues.apache.org/jira/browse/HDFS-9525
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>            Assignee: HeeSoo Kim
>            Priority: Blocker
>             Fix For: 3.0.0
>
>         Attachments: HDFS-7984.001.patch, HDFS-7984.002.patch, HDFS-7984.003.patch, HDFS-7984.004.patch,
HDFS-7984.005.patch, HDFS-7984.006.patch, HDFS-7984.007.patch, HDFS-7984.patch, HDFS-9525.008.patch,
HDFS-9525.009.patch, HDFS-9525.009.patch, HDFS-9525.branch-2.008.patch, HDFS-9525.branch-2.009.patch
>
>
> When using the webhdfs:// filesystem (especially from distcp), we need the ability to
inject a delegation token rather than webhdfs initialize its own.  This would allow for cross-authentication-zone
file system accesses.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message