[ https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481489#comment-13481489 ]
Daryn Sharp commented on HADOOP-8779: ------------------------------------- bq. The deeper issue is whether the client should make its decision on what auth method to use based on configuration, or on what credentials are currently available. I think the former is better and easier to reason. I think we need to be clear on which client we are discussing to avoid confusion. The is the low-level RCP client uses a token if available, else kerberos or simple. Then there's a high-level client, like the job client, that needs to determine if it should get a token. bq. If the required credentials are not available, it should complain rather than automatically switch to make a different type of connection (a task switching from token to SIMPLE would defeat your testing purpose) True, it would defeat the purpose, which is why I've long considered whether job submission should set a conf key that forces a task to only use tokens which is what I think you are also suggesting. This would help with secure clusters to prevent the user from seeing a large confusing sasl exception from the rpc client when a token is unavailable. I planned to raise this issue when we get to MR's job client deciding if it get should get tokens. I agree these are all very valid questions that we need to address. I hope these don't block HDFS-4056 and HADOOP-8785 (not posted because it depends on HDFS-4056). These jiras are incremental steps forward that are independent from this larger discussion. These jiras will not change job submission or task execution behavior until the job client is changed. > Use tokens regardless of authentication type > -------------------------------------------- > > Key: HADOOP-8779 > URL: https://issues.apache.org/jira/browse/HADOOP-8779 > Project: Hadoop Common > Issue Type: New Feature > Components: fs, security > Affects Versions: 3.0.0, 2.0.2-alpha > Reporter: Daryn Sharp > Assignee: Daryn Sharp > > Security is a combination of authentication and authorization (tokens). > Authorization may be granted independently of the authentication model. > Tokens should be used regardless of simple or kerberos authentication. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira