[jira] [Commented] (HADOOP-8779) Use tokens regardless of authentication type

Tue, 23 Oct 2012 07:01:15 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482330#comment-13482330
 ] 

Daryn Sharp commented on HADOOP-8779:
-------------------------------------

bq. {quote}3. Remove all the conditionals from the filesystems for whether 
tokens can be acquired and/or used{quote}
bq. I'm not sure this should be done, since the filesystem still needs to 
decide whether a token can be issued based on whether the client is 
authenticated using the configured initial auth method.

That's not how the token routines are conditionalized today.  Some simply 
return null if {{isSecurityEnabled}} is false.

I don't believe it's the filesystem's responsibility to decide if a token can 
be issued.  If the user/job-client requests a token, then it should try to 
issue one.  This will help solve incompatibilities where secure & insecure 
clusters cannot be accessed with the same client config.

bq.  I think this is where we have differences. In my view, when SIMPLE + 
SIMPLE is configured, there should be no tokens issued or submitted (as it is 
today).

We are not in stark opposition on this point.  I'd rather we don't have 
multiple code paths, but we can add conditionals to the job client to 
enable/disable token fetching, and to the RPC client to only use tokens to 
allow SIMPLE + SIMPLE.
                
> Use tokens regardless of authentication type
> --------------------------------------------
>
>                 Key: HADOOP-8779
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8779
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: fs, security
>    Affects Versions: 3.0.0, 2.0.2-alpha
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> Security is a combination of authentication and authorization (tokens).  
> Authorization may be granted independently of the authentication model.  
> Tokens should be used regardless of simple or kerberos authentication.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to