[jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider

Thu, 03 Jul 2014 09:15:12 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051628#comment-14051628
 ] 

Alejandro Abdelnur commented on HADOOP-10769:
---------------------------------------------

Lets assume you have a {{DelegationTokenKeyProviderExtension}} providing a 
{{DelegationTokenExtension}} interface, it would be something like this: 

{code}
public class DelegationTokenKeyProviderExtension extends 
KeyProviderExtension<DelegationTokenExtension> {

  public interface DelegationTokenExtension extends Extension {
     public Token<?> getDelegationToken(String renewer) throws IOException;
  }

  private DelegationTokenKeyProviderExtension(KeyProvider kp, 
DelegationTokenExtension dte) {
    super(kp, dte);
  }

  public Token<?> getDelegationToken(String renewer) throws IOException {
    Token<?> token = null;
     if (getExtension() != null) {
       token = getExtension().getDelegationToken(renewer);
     }
     return token;
  }

  privat static DefaultDelegationTokenExtension implements 
DelegationTokenExtension {
     public Token<?> getDelegationToken(String renewer) throws IOException {
       return null;
      }
  }

  public static DelegationTokenKeyProviderExtension getExtension(KeyProvider 
kp) {
    DelegationTokenExtension dte = (kp instanceof DelegationTokenExtension) ? 
(DelegationTokenExtension) kp : null;
    return DelegationTokenKeyProviderExtension(kp, dte);
  }
}
{code}

When using the {{DelegationTokenKeyProviderExtension}} to get tokens you get 
the same semantics as you would do getting the tokens from the 
{{getDelegationToken()}} method if it would be backed in the {{KeyProvider}} 
API but without having the token retrieval in the {{KeyProvider}} API itself 
which is your source of concerns.



> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the 
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to