[
https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15895062#comment-15895062
]
Yongjun Zhang commented on HADOOP-14104:
----------------------------------------
Hi [~daryn],
Took a further look, my understanding is:
Credentials is an object stored in UGI, and it is passed around to various
components such as mappers and reducers to get a job done. The Credentials
object contains two maps:
{code}
private Map<Text, byte[]> secretKeysMap = new HashMap<Text, byte[]>();
private Map<Text, Token<? extends TokenIdentifier>> tokenMap =
new HashMap<Text, Token<? extends TokenIdentifier>>();
{code}
When initializing the Credentials object for the client, the token map is
populated by asking NN for the tokens with FSNamesystem#getDelegationToken(Text
renewer)
The secretKeysMap is populated by UserProvider.
To add fs/keyProvider entries to secretKeysMap, we call getServerDefaults once
to get back the keyProvider info, and update secretKeysMap with entries <fs,
keyProvider>.
Is that understanding correct?
Thanks.
--Yongjun
> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>
> Key: HADOOP-14104
> URL: https://issues.apache.org/jira/browse/HADOOP-14104
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms
> Reporter: Rushabh S Shah
> Assignee: Rushabh S Shah
> Attachments: HADOOP-14104-trunk.patch, HADOOP-14104-trunk-v1.patch
>
>
> According to current implementation of kms provider in client conf, there can
> only be one kms.
> In multi-cluster environment, if a client is reading encrypted data from
> multiple clusters it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
