[jira] [Updated] (HDFS-10643) HDFS namenode should always use service user (hdfs) to generateEncryptedKey

Mon, 18 Jul 2016 17:02:03 -0700 

     [ 
https://issues.apache.org/jira/browse/HDFS-10643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Xiaoyu Yao updated HDFS-10643:
------------------------------
    Attachment: HDFS-10643.01.patch

{{checkTGTAndReloginFromKeytab}} is not needed with HADOOP-13255 per discussion 
with [~jnp]. Adding a patch v1 for that. 
I'm working on the unit test of this and will update the patch again later. 

I also found a potential issue with HADOOP-13255 where the 
{{checkTGTAndReloginFromKeytab}} is invoked with only 
{{DelegationTokenAuthenticator#authenticate}} but not 
{{KerberosAuthenticator#authenticate}}. This is not an issue now because we 
currently don't use {{KerberosAuthenticator}} directly. Only 
{{DelegationTokenAuthenticator}} or {{KerberosDelegationTokenAuthenticator}} 
are being used. Since both {{KerberosAuthenticator}} and 
{{DelegationTokenAuthenticator}} implement the {{Authenticator}} interface, it 
is good to have {{checkTGTAndReloginFromKeytab}} added to {{authenticate}} 
implementations for consistency. I will open a separate ticket for it.

cc: [~xiaochen] and [~zhz] for additional feedback.  

> HDFS namenode should always use service user (hdfs) to generateEncryptedKey
> ---------------------------------------------------------------------------
>
>                 Key: HDFS-10643
>                 URL: https://issues.apache.org/jira/browse/HDFS-10643
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: encryption, namenode
>    Affects Versions: 2.6.0
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>         Attachments: HDFS-10643.00.patch, HDFS-10643.01.patch
>
>
> KMSClientProvider is designed to be shared by different KMS clients. When 
> HDFS Namenode as KMS client talks to KMS to generateEncryptedKey for new file 
> creation from proxy user (hive, oozie), the proxyuser handling for 
> KMSClientProvider in this case is unnecessary, which cause 1) an extra proxy 
> user configuration allowing hdfs user to proxy its clients and 2) KMS acls to 
> allow non-hdfs user for GENERATE_EEK operation. 
> This ticket is opened to always use HDFS namenode login user (hdfs) when 
> talking to KMS to generateEncryptedKey for new file creation. This way, we 
> have a more secure KMS based HDFS encryption (we can set kms-acls to allow 
> only hdfs user for GENERATE_EEK) with less configuration hassle for KMS to 
> allow hdfs to proxy other users. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to