[jira] [Commented] (HDFS-9525) hadoop utilities need to support provided delegation tokens

Wed, 16 Dec 2015 14:22:54 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15061013#comment-15061013
 ] 

HeeSoo Kim commented on HDFS-9525:
----------------------------------

{quote}
I thought the issue at hand is how to access 2 kerberos clusters? If the other 
cluster is insecure, then just set 
ipc.client.fallback-to-simple-auth-allowed=true. 
{quote}
[~daryn] This uses case can use when source is kerberos cluster and target is 
non-kerberos(simple) cluster.
However, this use case is a contrary concept. Our source is 
non-kerberos(simple) cluster and target is kerberos cluster.
This is the use case.
# I get the token from target cluster with kerberos using fetchdt.
# The source cluster get the delegation token file anyhow. 
# In the source cluster, we set the delegation token file in hadoop.token.files 
parameter.
# The source cluster with cluster tried to connect the target cluster with 
kerberos.

Even I set up the delegation token file on source cluster with simple, it does 
not use the token.
I agreed that if the source cluster do not have the token information of the 
target, WebHDFS needs to request GETDELEGATIONTOKEN.
However, if the source cluster has the right service token, WebHDFS needs to 
use the service token.

> hadoop utilities need to support provided delegation tokens
> -----------------------------------------------------------
>
>                 Key: HDFS-9525
>                 URL: https://issues.apache.org/jira/browse/HDFS-9525
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>            Assignee: HeeSoo Kim
>            Priority: Blocker
>             Fix For: 3.0.0
>
>         Attachments: HDFS-7984.001.patch, HDFS-7984.002.patch, 
> HDFS-7984.003.patch, HDFS-7984.004.patch, HDFS-7984.005.patch, 
> HDFS-7984.006.patch, HDFS-7984.007.patch, HDFS-7984.patch, HDFS-9525.008.patch
>
>
> When using the webhdfs:// filesystem (especially from distcp), we need the 
> ability to inject a delegation token rather than webhdfs initialize its own.  
> This would allow for cross-authentication-zone file system accesses.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to