[
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14051744#comment-14051744
]
Larry McCay commented on HADOOP-10769:
--------------------------------------
That seems pretty convoluted.
Let's step back a second - so that the full usecase is clear.
* consumers of the managed keys will need access to them from services/tasks at
execution time
* some of the keys will be unknown until file access time
* so, at job submission time KMS delegation tokens are needed so that the
services/tasks can access the required keys as the submitting user later as
they discover the need for the specific keys from HDFS ext attrs
* therefore the delegation tokens have to be in the credentials file
* they will also need to be made available to the KMSClientKeyProvider to
include in the request to the KMS
So, we need:
1. the ability to get the KMS delegation token at job submission time
2. the ability to add it to and get it from the credentials file (already
available in Credentials)
- though it seems that this has to be done by the consuming code not the
KMSClientKeyProvider code
3. the ability to supply the delegation token to the KMSClientKeyProvider when
requesting keys
My questions:
A. For #1 can't we have a standalone DelegationTokenClient component -
especially since there is another jira for refactoring delegation token support
out into common to be more reusable? Such a client could then potentially be
used inside the KMSClientKeyProvider.
B. Wouldn't it be better if providers that know they need delegation tokens
were able to handle #2 themselves?
C. How is #3 above going to be handled using the current interfaces - I don't
see how it is being added to the interaction currently?
D. If the KMSClientKeyProvider had access to the credentials object ( already
have access to UserKeyProvider) or some other execution context itself then
could that be a way that #3 could be addressed?
> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
> Key: HADOOP-10769
> URL: https://issues.apache.org/jira/browse/HADOOP-10769
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
