[
https://issues.apache.org/jira/browse/HADOOP-16120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16772164#comment-16772164
]
Wei-Chiu Chuang commented on HADOOP-16120:
------------------------------------------
Hi,
KMS delegation tokens are issued when an application invokes
FileSystem#addDelegationTokens() API. An application typically invokes this API
because the delegation tokens may be used later. For example, a MapReduce
client invokes it, so that the DTs can be passed along to mapper and reducer.
And typically it's not possible to know if you would ever access an encryption
zone a priori.
> Lazily allocate KMS delegation tokens
> -------------------------------------
>
> Key: HADOOP-16120
> URL: https://issues.apache.org/jira/browse/HADOOP-16120
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms, security
> Affects Versions: 2.8.5, 3.1.2
> Reporter: Ruslan Dautkhanov
> Priority: Major
>
> We noticed that HDFS clients talk to KMS even when they try to access not
> encrypted databases.. Is there is a way to make HDFS clients to talk to KMS
> servers *only* when they need access to encrypted data? Since we will be
> encrypting only one database (and 50+ other much more critical production
> databases will not be encrypted), in case if KMS is down for maintenance or
> for some other reason, we want to limit outage only to encrypted data.
> In other words, it would be great if KMS delegation toekns would be allocated
> lazily - on first request to encrypted data.
> This could be a non-default option to lazily allocate KMS delegation tokens,
> to improve availability of non-encrypted data.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
