[ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051744#comment-14051744 ]
Larry McCay commented on HADOOP-10769: -------------------------------------- That seems pretty convoluted. Let's step back a second - so that the full usecase is clear. * consumers of the managed keys will need access to them from services/tasks at execution time * some of the keys will be unknown until file access time * so, at job submission time KMS delegation tokens are needed so that the services/tasks can access the required keys as the submitting user later as they discover the need for the specific keys from HDFS ext attrs * therefore the delegation tokens have to be in the credentials file * they will also need to be made available to the KMSClientKeyProvider to include in the request to the KMS So, we need: 1. the ability to get the KMS delegation token at job submission time 2. the ability to add it to and get it from the credentials file (already available in Credentials) - though it seems that this has to be done by the consuming code not the KMSClientKeyProvider code 3. the ability to supply the delegation token to the KMSClientKeyProvider when requesting keys My questions: A. For #1 can't we have a standalone DelegationTokenClient component - especially since there is another jira for refactoring delegation token support out into common to be more reusable? Such a client could then potentially be used inside the KMSClientKeyProvider. B. Wouldn't it be better if providers that know they need delegation tokens were able to handle #2 themselves? C. How is #3 above going to be handled using the current interfaces - I don't see how it is being added to the interaction currently? D. If the KMSClientKeyProvider had access to the credentials object ( already have access to UserKeyProvider) or some other execution context itself then could that be a way that #3 could be addressed? > Add getDelegationToken() method to KeyProvider > ---------------------------------------------- > > Key: HADOOP-10769 > URL: https://issues.apache.org/jira/browse/HADOOP-10769 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 3.0.0 > Reporter: Alejandro Abdelnur > Assignee: Arun Suresh > > The KeyProvider API needs to return delegation tokens to enable access to the > KeyProvider from processes without Kerberos credentials (ie Yarn containers). > This is required for HDFS encryption and KMS integration. -- This message was sent by Atlassian JIRA (v6.2#6252)