[
https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481489#comment-13481489
]
Daryn Sharp commented on HADOOP-8779:
-------------------------------------
bq. The deeper issue is whether the client should make its decision on what
auth method to use based on configuration, or on what credentials are currently
available. I think the former is better and easier to reason.
I think we need to be clear on which client we are discussing to avoid
confusion. The is the low-level RCP client uses a token if available, else
kerberos or simple. Then there's a high-level client, like the job client,
that needs to determine if it should get a token.
bq. If the required credentials are not available, it should complain rather
than automatically switch to make a different type of connection (a task
switching from token to SIMPLE would defeat your testing purpose)
True, it would defeat the purpose, which is why I've long considered whether
job submission should set a conf key that forces a task to only use tokens
which is what I think you are also suggesting. This would help with secure
clusters to prevent the user from seeing a large confusing sasl exception from
the rpc client when a token is unavailable. I planned to raise this issue when
we get to MR's job client deciding if it get should get tokens.
I agree these are all very valid questions that we need to address. I hope
these don't block HDFS-4056 and HADOOP-8785 (not posted because it depends on
HDFS-4056). These jiras are incremental steps forward that are independent
from this larger discussion. These jiras will not change job submission or
task execution behavior until the job client is changed.
> Use tokens regardless of authentication type
> --------------------------------------------
>
> Key: HADOOP-8779
> URL: https://issues.apache.org/jira/browse/HADOOP-8779
> Project: Hadoop Common
> Issue Type: New Feature
> Components: fs, security
> Affects Versions: 3.0.0, 2.0.2-alpha
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
>
> Security is a combination of authentication and authorization (tokens).
> Authorization may be granted independently of the authentication model.
> Tokens should be used regardless of simple or kerberos authentication.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
