[
https://issues.apache.org/jira/browse/HADOOP-6581?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12836300#action_12836300
]
Kan Zhang commented on HADOOP-6581:
-----------------------------------
Added a patch that
1. allows TokenIdentifiers to be added to a ugi so that they can be made
available for authorization checking in the RPC method.
2. updated RPC Server to add authenticated TokenIdentifiers to the ugi
associated with the connection.
3. minor refactoring of SaslRpcServer code.
4. Fixed an NPE bug in DelegationKey where an empty DelegationKey throws NPE
when you try to write it.
> Add authenticated TokenIdentifiers to UGI so that they can be used for
> authorization
> ------------------------------------------------------------------------------------
>
> Key: HADOOP-6581
> URL: https://issues.apache.org/jira/browse/HADOOP-6581
> Project: Hadoop Common
> Issue Type: New Feature
> Components: ipc, security
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: c6581-10.patch
>
>
> When token is used for authentication over RPC, information other than
> username may be needed for access authorization. This information is
> typically specified in TokenIdentifier. This is especially true for block
> tokens used for client-to-datanode accesses, where authorization is based on
> access permissions specified in TokenIdentifier, and not on username. Block
> tokens used to be called access tokens and one can think of them as
> capability tokens. See HADOOP-4359 for more info.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
