hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider
Date Wed, 02 Jul 2014 16:35:25 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050289#comment-14050289

Alejandro Abdelnur commented on HADOOP-10769:

It is not the intention, at all, to relegate external providers to be plugged into KMS to

The intention is to enable the Hadoop KeyProvider API with a security pattern managed and
understood by existing Hadoop services: storage, propagation, renewal of tokens is already
handled throughout the platform. The DelegationToken framework already does all this. And
an external provider can fully leverage this without having to be deployed via KMS.

If you deploy an external provider via KMS you get then additional benefits out of the box:
scalability, caching, isolated DEK management.

Also, note that the {{getDelegationToken()}} it does not handle authentication, just getting
a delegation token. Authentication is assumed to be done via UGI mechanisms.

Regarding context values for a given provider, UGI credentials are already used in that way.

Because of this, IMO, I think we are good with DelegationToken support for now. And I'm happy
to consider changes with a concrete example not handled by it arises.

> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
> The KeyProvider API needs to return delegation tokens to enable access to the KeyProvider
from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.

This message was sent by Atlassian JIRA

View raw message