[jira] [Comment Edited] (HDFS-12284) RBF: Support for Kerberos authentication

Brahma Reddy Battula (JIRA) Mon, 29 Oct 2018 13:00:33 -0700


    [ 
https://issues.apache.org/jira/browse/HDFS-12284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16667645#comment-16667645
 ]


Brahma Reddy Battula edited comment on HDFS-12284 at 10/29/18 8:00 PM:
-----------------------------------------------------------------------

Thanks for working on this jira.

IIUC,Daryn was telling about following,for each operaion ugi is getting 
created(ugi construction).

 
{code:java}
258 UserGroupInformation connUGI = ugi;
259 if (UserGroupInformation.isSecurityEnabled()) {
260 UserGroupInformation routerUser = UserGroupInformation.getLoginUser();
261 connUGI = UserGroupInformation.createProxyUser(
262 ugi.getUserName(), routerUser);
263 }
264 connection = this.connectionManager.getConnection(
265 connUGI, rpcAddress, proto);
{code}
{quote}I plan to enhance the connection pooling part by introducing synchronous 
connection creation using semaphore semantics instead of the current 
asynchronous connection creation.
{quote}
Mostly this can address, just we need to aviod when proxy user is already 
constructed.
{quote}The temporary solution for this JIRA is to add the definition of 
dfs.federation.router.kerberos.internal.spnego.principal to 
SecurityConfUtil#initSecurity().
 Thoughts?
{quote}
Yes, we should this config like all other configs to start router http server.
{quote}We can create another ticket for adding hdfs-rbf-default.xml in 
HdfsConfiguration, but wondering how it will work for NameNode? Because in a 
namenode scenario, hdfs-rbf-default.xml may not be in the classpath.
{quote}
AFAIK..Just one more file ( hdfs-rbf*) will be added to classpath of 
Namenode,DataNode..I dn't think,user will configure namenode/datanode configs 
in this file,so this will not impact these process.

I think, Newly added testcases are not using the state store( as zk address is 
not used..) and requests are not going to through router.

 

We should commit this ASAP, as this blocks delegation token impl,[~crh] can you 
update delegation toke proto type based on this..?

 


was (Author: brahmareddy):
Thanks for working on this jira.

IIUC,Daryn was telling about following,for each operaion ugi is getting 
created(ugi construction).

 
{code:java}
258 UserGroupInformation connUGI = ugi;
259 if (UserGroupInformation.isSecurityEnabled()) {
260 UserGroupInformation routerUser = UserGroupInformation.getLoginUser();
261 connUGI = UserGroupInformation.createProxyUser(
262 ugi.getUserName(), routerUser);
263 }
264 connection = this.connectionManager.getConnection(
265 connUGI, rpcAddress, proto);
{code}
{quote}I plan to enhance the connection pooling part by introducing synchronous 
connection creation using semaphore semantics instead of the current 
asynchronous connection creation.
{quote}
Mostly this can address, just we need to aviod when proxy user is already 
constructed.
{quote}The temporary solution for this JIRA is to add the definition of 
dfs.federation.router.kerberos.internal.spnego.principal to 
SecurityConfUtil#initSecurity().
 Thoughts?
{quote}
Yes, we should this config like all other configs to start router http server.
{quote}We can create another ticket for adding hdfs-rbf-default.xml in 
HdfsConfiguration, but wondering how it will work for NameNode? Because in a 
namenode scenario, hdfs-rbf-default.xml may not be in the classpath.
{quote}
AFAIK..Just one more file ( hdfs-rbf*) will be added to classpath of 
Namenode,DataNode..I dn't think,user will configure namenode/datanode configs 
in this file,so this will not impact these process.

I think, Newly added testcases are not using the state store( as zk address is 
not used..)

 

We should commit this ASAP, as this blocks delegation token impl,[~crh] can you 
update delegation toke proto type based on this..?

 

> RBF: Support for Kerberos authentication
> ----------------------------------------
>
>                 Key: HDFS-12284
>                 URL: https://issues.apache.org/jira/browse/HDFS-12284
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Zhe Zhang
>            Assignee: Sherwood Zheng
>            Priority: Major
>         Attachments: HDFS-12284-HDFS-13532.004.patch, 
> HDFS-12284-HDFS-13532.005.patch, HDFS-12284-HDFS-13532.006.patch, 
> HDFS-12284-HDFS-13532.007.patch, HDFS-12284-HDFS-13532.008.patch, 
> HDFS-12284-HDFS-13532.009.patch, HDFS-12284-HDFS-13532.010.patch, 
> HDFS-12284-HDFS-13532.011.patch, HDFS-12284-HDFS-13532.012.patch, 
> HDFS-12284.000.patch, HDFS-12284.001.patch, HDFS-12284.002.patch, 
> HDFS-12284.003.patch
>
>
> HDFS Router should support Kerberos authentication and issuing / managing 
> HDFS delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

[jira] [Comment Edited] (HDFS-12284) RBF: Support for Kerberos authentication

Reply via email to