[
https://issues.apache.org/jira/browse/HDFS-12284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16667645#comment-16667645
]
Brahma Reddy Battula commented on HDFS-12284:
---------------------------------------------
Thanks for working on this jira.
IIUC,Daryn was telling about following,for each operaion ugi is getting
created(ugi construction).
{code:java}
258 UserGroupInformation connUGI = ugi;
259 if (UserGroupInformation.isSecurityEnabled()) {
260 UserGroupInformation routerUser = UserGroupInformation.getLoginUser();
261 connUGI = UserGroupInformation.createProxyUser(
262 ugi.getUserName(), routerUser);
263 }
264 connection = this.connectionManager.getConnection(
265 connUGI, rpcAddress, proto);
{code}
{quote}I plan to enhance the connection pooling part by introducing synchronous
connection creation using semaphore semantics instead of the current
asynchronous connection creation.
{quote}
Mostly this can address, just we need to aviod when proxy user is already
constructed.
{quote}The temporary solution for this JIRA is to add the definition of
dfs.federation.router.kerberos.internal.spnego.principal to
SecurityConfUtil#initSecurity().
Thoughts?
{quote}
Yes, we should this config like all other configs to start router http server.
{quote}We can create another ticket for adding hdfs-rbf-default.xml in
HdfsConfiguration, but wondering how it will work for NameNode? Because in a
namenode scenario, hdfs-rbf-default.xml may not be in the classpath.
{quote}
AFAIK..Just one more file ( hdfs-rbf*) will be added to classpath of
Namenode,DataNode..I dn't think,user will configure namenode/datanode configs
in this file,so this will not impact these process.
I think, Newly added testcases are not using the state store( as zk address is
not used..)
We should commit this ASAP, as this blocks delegation token impl,[~crh] can you
update delegation toke proto type based on this..?
> RBF: Support for Kerberos authentication
> ----------------------------------------
>
> Key: HDFS-12284
> URL: https://issues.apache.org/jira/browse/HDFS-12284
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: security
> Reporter: Zhe Zhang
> Assignee: Sherwood Zheng
> Priority: Major
> Attachments: HDFS-12284-HDFS-13532.004.patch,
> HDFS-12284-HDFS-13532.005.patch, HDFS-12284-HDFS-13532.006.patch,
> HDFS-12284-HDFS-13532.007.patch, HDFS-12284-HDFS-13532.008.patch,
> HDFS-12284-HDFS-13532.009.patch, HDFS-12284-HDFS-13532.010.patch,
> HDFS-12284-HDFS-13532.011.patch, HDFS-12284-HDFS-13532.012.patch,
> HDFS-12284.000.patch, HDFS-12284.001.patch, HDFS-12284.002.patch,
> HDFS-12284.003.patch
>
>
> HDFS Router should support Kerberos authentication and issuing / managing
> HDFS delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
