[ 
https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451502#comment-13451502
 ] 

Kan Zhang commented on HADOOP-8779:
-----------------------------------

Firstly, delegation tokens are not authorizations; they are just credentials to 
be used with some authentication method (DIGEST-MD5 in this case). There could 
be many ways to set up the credentials to be used with DIGEST-MD5. Hence, we 
have many different delegation token implementations (SecretManagers) in 
Hadoop. But currently only a single type of delegation tokens (to be used with 
DIGEST-MD5 as the internal auth method) can be used for a particular service 
and it is tightly coupled with Kerberos as the only external auth method. 
HADOOP-8758 is opened to support DIGEST-MD5 as an external auth method (with 
potentially many different types of tokens to be used with it). See my comment 
in HADOOP-8758 for explanation on external vs. internal auth methods.

Secondly, this JIRA is not needed; it is already assumed by HADOOP-8758. The 
decoupling of Kerberos from existing delegation token implementations (used 
with DIGEST-MD5 as internal auth method) has to be done before adding 
DIGEST-MD5 as an external auth method. Once decoupling is done, auth methods 
other than DIGEST-MD5 (including SIMPLE auth) should also be configurable as 
external auth methods.
                
> Use tokens regardless of authentication type
> --------------------------------------------
>
>                 Key: HADOOP-8779
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8779
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs, security
>    Affects Versions: 3.0.0, 2.0.2-alpha
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> Security is a combination of authentication and authorization (tokens).  
> Authorization may be granted independently of the authentication model.  
> Tokens should be used regardless of simple or kerberos authentication.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to