[ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051628#comment-14051628 ]
Alejandro Abdelnur commented on HADOOP-10769: --------------------------------------------- Lets assume you have a {{DelegationTokenKeyProviderExtension}} providing a {{DelegationTokenExtension}} interface, it would be something like this: {code} public class DelegationTokenKeyProviderExtension extends KeyProviderExtension<DelegationTokenExtension> { public interface DelegationTokenExtension extends Extension { public Token<?> getDelegationToken(String renewer) throws IOException; } private DelegationTokenKeyProviderExtension(KeyProvider kp, DelegationTokenExtension dte) { super(kp, dte); } public Token<?> getDelegationToken(String renewer) throws IOException { Token<?> token = null; if (getExtension() != null) { token = getExtension().getDelegationToken(renewer); } return token; } privat static DefaultDelegationTokenExtension implements DelegationTokenExtension { public Token<?> getDelegationToken(String renewer) throws IOException { return null; } } public static DelegationTokenKeyProviderExtension getExtension(KeyProvider kp) { DelegationTokenExtension dte = (kp instanceof DelegationTokenExtension) ? (DelegationTokenExtension) kp : null; return DelegationTokenKeyProviderExtension(kp, dte); } } {code} When using the {{DelegationTokenKeyProviderExtension}} to get tokens you get the same semantics as you would do getting the tokens from the {{getDelegationToken()}} method if it would be backed in the {{KeyProvider}} API but without having the token retrieval in the {{KeyProvider}} API itself which is your source of concerns. > Add getDelegationToken() method to KeyProvider > ---------------------------------------------- > > Key: HADOOP-10769 > URL: https://issues.apache.org/jira/browse/HADOOP-10769 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 3.0.0 > Reporter: Alejandro Abdelnur > Assignee: Arun Suresh > > The KeyProvider API needs to return delegation tokens to enable access to the > KeyProvider from processes without Kerberos credentials (ie Yarn containers). > This is required for HDFS encryption and KMS integration. -- This message was sent by Atlassian JIRA (v6.2#6252)