[jira] [Commented] (HDFS-9525) hadoop utilities need to support provided delegation tokens

Fri, 22 Jan 2016 13:43:52 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15113149#comment-15113149
 ] 

Daryn Sharp commented on HDFS-9525:
-----------------------------------

-1 No, feedback was not addressed, a bug was introduced, and the tests were 
changed to verify the new bug occurs.  Strikethru on the one point addressed.

bq. -If a code change is necessary, UGI should use 
Configuration#getTrimmedStrings- and unconditionally call 
Credentials.readTokenStorageFile instead of allowing the user to specify an 
invalid setting. Only webhdfs related change is 
WebHdfsFileSystem.canRefreshDelegationToken should default to true.

The last and most important point was overlooked and webhdfs is broken.  The 
tests used to:
# call getfilestatus and verify a token is sent
# clear the token with the comment {{// wipe out internal token to simulate 
auth always required}}
# call getfilestatus again to specifically verify no token is sent - because 
auth is expected

This patch changed #3 to verify the opposite behavior:  the same token as #1 is 
passed.  Again, just change {{this.canRefreshDelegationToken = 
UserGroupInformation.isSecurityEnabled();}} to {{this.canRefreshDelegationToken 
= true;}} and it will cause webhdfs to look for a token even if security is 
off.  Nothing else in webhdfs should require a change.


> hadoop utilities need to support provided delegation tokens
> -----------------------------------------------------------
>
>                 Key: HDFS-9525
>                 URL: https://issues.apache.org/jira/browse/HDFS-9525
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>            Assignee: HeeSoo Kim
>            Priority: Blocker
>             Fix For: 3.0.0
>
>         Attachments: HDFS-7984.001.patch, HDFS-7984.002.patch, 
> HDFS-7984.003.patch, HDFS-7984.004.patch, HDFS-7984.005.patch, 
> HDFS-7984.006.patch, HDFS-7984.007.patch, HDFS-7984.patch, 
> HDFS-9525.008.patch, HDFS-9525.009.patch, HDFS-9525.009.patch, 
> HDFS-9525.branch-2.008.patch, HDFS-9525.branch-2.009.patch
>
>
> When using the webhdfs:// filesystem (especially from distcp), we need the 
> ability to inject a delegation token rather than webhdfs initialize its own.  
> This would allow for cross-authentication-zone file system accesses.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to