hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10771) Refactor HTTP delegation support out of httpfs to common
Date Thu, 07 Aug 2014 23:51:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090048#comment-14090048
] 

Alejandro Abdelnur commented on HADOOP-10771:
---------------------------------------------

[~daryn], thanks for reviewing this, both by patch and by chatting with me over the phone.

The patch is moving existing logic into common and doing minimal fixes, the follow up JIRAs
are taking care of most of your concerns. Specifically the UGI handling and proxyuser handling.

The auth cookie is require to avoid doing SPNEGO handshake (requesting a service ticket from
the kdc) on every request. If network sniffing is an issue, then HTTPS should be used to avoid
that. If a process itself gives away the cookie, then that is no different that a process
via RPC asking for several delegation tokens and giving them away.

I'll open a JIRA to clean up the exceptions and propagate info to the client to regenerate
and throw.

Thx

> Refactor HTTP delegation support out of httpfs to common
> --------------------------------------------------------
>
>                 Key: HADOOP-10771
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10771
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>         Attachments: COMBO.patch, COMBO.patch, HADOOP-10771.patch, HADOOP-10771.patch,
HADOOP-10771.patch, HADOOP-10771.patch, HADOOP-10771.sh
>
>
> HttpFS implements delegation token support in {{AuthenticationFilter}} & {{AuthenticationHandler}}
subclasses.
> For HADOOP-10770 we need similar functionality for KMS.
> Not to duplicate code, we should refactor existing code to common.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message