[
https://issues.apache.org/jira/browse/HADOOP-11207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14175566#comment-14175566
]
Vinod Kumar Vavilapalli commented on HADOOP-11207:
--------------------------------------------------
Read up on the background - I was originally confused why HADOOP-10835 was not
sufficient, I get it now.
Overall, there is proxy-user support for generic non-token calls, but there is
no proxy-user for getting/renew/cancel tokens themselves.
I was surprised why HDFS didn't need it. It turns out HDFS doesn't depend on
the common filter code, and instead duplicates the doAs code in JspHeper etc -
that's why. Filed HDFS-7262 for this.
The patch looks good to me. Can you take care of the findbugs warnings?
> DelegationTokenAuthenticationHandler needs to support DT operations for proxy
> user
> ----------------------------------------------------------------------------------
>
> Key: HADOOP-11207
> URL: https://issues.apache.org/jira/browse/HADOOP-11207
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Zhijie Shen
> Assignee: Zhijie Shen
> Attachments: HADOOP-11207.1.patch, HADOOP-11207.2.patch
>
>
> Currently, DelegationTokenAuthenticationHandler only support DT operations
> for the request user after it passes the authentication. However, it should
> also support the request user to do DT operations on behalf of the proxy user.
> Timeline server is using the authentication filter for DT operations instead
> of traditional RPC-based ones. It needs this feature to enable the proxy user
> to use the timeline service (YARN-2676).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
