hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider
Date Tue, 01 Jul 2014 22:11:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14049375#comment-14049375

Larry McCay commented on HADOOP-10769:

I'm sorry for not making my point more clearly.

Say we want a key provider for an external key system that does not use delegation tokens
but some other token instead.
Should we add a getXToken as well?

I am just trying to abstract away things like authentication tokens required by proprietary
providers and at the same time accommodate the KMS provider without imposing this method on
every provider.

So, if we were to create an execution context that we can then add to the credentials object
then it could be picked up by the services/tasks at runtime. Unfortunately, we will have to
know about certain names in order to put them in through the right method and get them out
from the right method. Unless we added a new method for setting/getting the whole context....?

I'm not sure what you are getting at with the "if the KeyProvider is not accessible from services/tasks
in the cluster it is pretty much useless." statement. How would a more generic approach to
getting required tokens make the key provider less accessible?

Anyway, I would be more comfortable with a more generic approach to this issue. This is after
all an SPI contract for accommodating arbitrary providers. If KMS has a requirement for extra
context information at runtime then others likely do as well.

> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
> The KeyProvider API needs to return delegation tokens to enable access to the KeyProvider
from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.

This message was sent by Atlassian JIRA

View raw message