[ https://issues.apache.org/jira/browse/HDFS-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15113149#comment-15113149 ]
Daryn Sharp commented on HDFS-9525: ----------------------------------- -1 No, feedback was not addressed, a bug was introduced, and the tests were changed to verify the new bug occurs. Strikethru on the one point addressed. bq. -If a code change is necessary, UGI should use Configuration#getTrimmedStrings- and unconditionally call Credentials.readTokenStorageFile instead of allowing the user to specify an invalid setting. Only webhdfs related change is WebHdfsFileSystem.canRefreshDelegationToken should default to true. The last and most important point was overlooked and webhdfs is broken. The tests used to: # call getfilestatus and verify a token is sent # clear the token with the comment {{// wipe out internal token to simulate auth always required}} # call getfilestatus again to specifically verify no token is sent - because auth is expected This patch changed #3 to verify the opposite behavior: the same token as #1 is passed. Again, just change {{this.canRefreshDelegationToken = UserGroupInformation.isSecurityEnabled();}} to {{this.canRefreshDelegationToken = true;}} and it will cause webhdfs to look for a token even if security is off. Nothing else in webhdfs should require a change. > hadoop utilities need to support provided delegation tokens > ----------------------------------------------------------- > > Key: HDFS-9525 > URL: https://issues.apache.org/jira/browse/HDFS-9525 > Project: Hadoop HDFS > Issue Type: New Feature > Components: security > Affects Versions: 3.0.0 > Reporter: Allen Wittenauer > Assignee: HeeSoo Kim > Priority: Blocker > Fix For: 3.0.0 > > Attachments: HDFS-7984.001.patch, HDFS-7984.002.patch, > HDFS-7984.003.patch, HDFS-7984.004.patch, HDFS-7984.005.patch, > HDFS-7984.006.patch, HDFS-7984.007.patch, HDFS-7984.patch, > HDFS-9525.008.patch, HDFS-9525.009.patch, HDFS-9525.009.patch, > HDFS-9525.branch-2.008.patch, HDFS-9525.branch-2.009.patch > > > When using the webhdfs:// filesystem (especially from distcp), we need the > ability to inject a delegation token rather than webhdfs initialize its own. > This would allow for cross-authentication-zone file system accesses. -- This message was sent by Atlassian JIRA (v6.3.4#6332)