[
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052066#comment-14052066
]
Aaron T. Myers commented on HADOOP-10769:
-----------------------------------------
bq. Do you think that we could make it more generic though?
I'm sure we could, but I suggest we cross that bridge when we come to it.
Hadoop currently does delegated authentication via {{DelegationTokens}}
everywhere, so let's do something to support that and move on. If in the future
we have need for other stuff, we'll amend the API appropriately. Seems quite
premature to me to attempt to design a generic API when we don't have any
concrete alternate use-cases.
bq. Out of curiosity, why does it return an array of Tokens?
The various callers use it for different things, e.g. in some places just to
log which tokens were renewed. I don't think it's actually integral to the
functioning of the API, just a convenience.
bq. If we were to open it up to include other things, like keys or passwords,
etc then we could just make it an add credentials method call:<snip>
In general I'm really leery of a {{HashMap<String,Object>}}-based API. That
seems quite fragile to me, and very overly-generic for the common use case of
just dealing with DTs.
How about as a way forward with this JIRA we go with the "{{public Token<?>[]
addDelegationTokens(final String renewer, Credentials credentials)}}" added to
{{KeyProvider}} as I proposed, and revisit a more generic API in the future
when we actually have a concrete need for it? We could then perhaps later add a
"{{addAdditionalCredentials}}" API call or something to accommodate
non-DT-based implementations. It is *soft*ware, after all. :)
> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
> Key: HADOOP-10769
> URL: https://issues.apache.org/jira/browse/HADOOP-10769
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
