[
https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482763#comment-13482763
]
Kan Zhang commented on HADOOP-8779:
-----------------------------------
bq. That's not how the token routines are conditionalized today. Some simply
return null if isSecurityEnabled is false.
Today, tokens are only issued when Kerberos is used and using Kerberos is
synonymous to security being turned on. Hence isSecurityEnabled is used as a
proxy for checking if Kerberos is used. When Kerberos is not the only initial
auth method to be paired with tokens, the checking should be "is the client
authenticated using the configured initial auth method(s)"?
bq. I don't believe it's the filesystem's responsibility to decide if a token
can be issued.
The token is called NN delegation token. It's a credential that NN generates
and manages for its clients to connect back. It is the sole responsibility of
NN to decide whether it should issue, expire, or validate/accept a token for a
given client. You lost me here. :-)
bq. If the user/job-client requests a token, then it should try to issue one.
Why? If SIMPLE instead of TOKEN is configured as subsequent auth method, why
issue a token that will never be used? Simplifying code is good, but not to the
extend that unnecessary objects are created and exchanged at runtime.
bq. We are not in stark opposition on this point. I'd rather we don't have
multiple code paths, but we can add conditionals to the job client to
enable/disable token fetching, and to the RPC client to only use tokens to
allow SIMPLE + SIMPLE.
I don't think adding conditionals to the job client is needed. A config option
for subsequent auth method should suffice for now. This option decides whether
the job client should fetch tokens and whether RPC client for jobs should use
tokens. It also tells NN whether it should issue tokens.
> Use tokens regardless of authentication type
> --------------------------------------------
>
> Key: HADOOP-8779
> URL: https://issues.apache.org/jira/browse/HADOOP-8779
> Project: Hadoop Common
> Issue Type: New Feature
> Components: fs, security
> Affects Versions: 3.0.0, 2.0.2-alpha
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
>
> Security is a combination of authentication and authorization (tokens).
> Authorization may be granted independently of the authentication model.
> Tokens should be used regardless of simple or kerberos authentication.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
