[ https://issues.apache.org/jira/browse/HADOOP-11207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14175566#comment-14175566 ]
Vinod Kumar Vavilapalli commented on HADOOP-11207: -------------------------------------------------- Read up on the background - I was originally confused why HADOOP-10835 was not sufficient, I get it now. Overall, there is proxy-user support for generic non-token calls, but there is no proxy-user for getting/renew/cancel tokens themselves. I was surprised why HDFS didn't need it. It turns out HDFS doesn't depend on the common filter code, and instead duplicates the doAs code in JspHeper etc - that's why. Filed HDFS-7262 for this. The patch looks good to me. Can you take care of the findbugs warnings? > DelegationTokenAuthenticationHandler needs to support DT operations for proxy > user > ---------------------------------------------------------------------------------- > > Key: HADOOP-11207 > URL: https://issues.apache.org/jira/browse/HADOOP-11207 > Project: Hadoop Common > Issue Type: Bug > Components: security > Reporter: Zhijie Shen > Assignee: Zhijie Shen > Attachments: HADOOP-11207.1.patch, HADOOP-11207.2.patch > > > Currently, DelegationTokenAuthenticationHandler only support DT operations > for the request user after it passes the authentication. However, it should > also support the request user to do DT operations on behalf of the proxy user. > Timeline server is using the authentication filter for DT operations instead > of traditional RPC-based ones. It needs this feature to enable the proxy user > to use the timeline service (YARN-2676). -- This message was sent by Atlassian JIRA (v6.3.4#6332)