[ https://issues.apache.org/jira/browse/HADOOP-8779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13483342#comment-13483342 ]
Daryn Sharp commented on HADOOP-8779: ------------------------------------- I think we're starting to over-engineer the issue at hand and bleeding requirements for other jiras like HADOOP-8758 into the design. This jira has a different goal that happens to be a step in that direction, but this jira has a much simpler goal: supporting tokens on "insecure" clusters. I had hoped to eliminate all the conditional code paths for security and make SIMPLE behave no differently than other auth methods. I feel we have become excessively bogged down trying to supporting SIMPLE with tokens (my initial goal) and w/o tokens (your goal). A far simpler approach is supporting SASL's PLAIN mechanism. It's basically hadoop's SIMPLE, but within the context of SASL. The end result is that PLAIN will trigger all the {{isSecurityEnabled}} code w/o changing any of the behavior of SIMPLE. The change becomes almost trivial because I won't have to touch the security conditionals in filesystems, mr, or yarn. Then all we need is a conf key, such as the one in HADOOP-8965, to force clients (ie. a task) to use a token instead of attempting an auth. I don't feel we need to ponder multiple internal auths - tokens can be used with any external auth as this approach will demonstrate. Users will get a clean error message from failed tasks such as "hey, you don't have a token!" instead of huge cryptic SASL exceptions. I'd like to keep this change succinct and leave broader changes to other jiras. Is this approach more palatable? The only downside is that we still need to do dual testing for secure/insecure, which I'd hoped to eliminate... But at least the pre-commits finally have the option to use PLAIN auth to test security. > Use tokens regardless of authentication type > -------------------------------------------- > > Key: HADOOP-8779 > URL: https://issues.apache.org/jira/browse/HADOOP-8779 > Project: Hadoop Common > Issue Type: New Feature > Components: fs, security > Affects Versions: 3.0.0, 2.0.2-alpha > Reporter: Daryn Sharp > Assignee: Daryn Sharp > > Security is a combination of authentication and authorization (tokens). > Authorization may be granted independently of the authentication model. > Tokens should be used regardless of simple or kerberos authentication. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira