[
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14049317#comment-14049317
]
Larry McCay commented on HADOOP-10769:
--------------------------------------
That isn't exactly accurate, it is required by a distributed implementation
that requires delegation tokens - which is an anti-pattern in my mind. A better
approach is to get all keys upfront and add them to the credentials object as
is done with delegation tokens - I understand that this has been discussed on
the other jiras but that doesn't mean that all other implementations should be
required to have it. I also don't like that HDFS will always call this and have
to deal with null when a different provider is configured. It is an abstraction
leak.
I don't want to debate whether delegation tokens should be used or not - I'd
like to pursue other ways for you to get the token without changing the
provider interface to explicitly call it out as a requirement.
Perhaps, we could add a call for creating an execution context where we pass in
some properties and get back a context with additional properties.
{code}
public HashMap<String, Object> getKeyProviderContext(HashMap<String,Object>
properties);
{code}
This would be essentially a means to get a provider some callbacks into the
execution environment and a way to pass provider specific context back to the
execution environment.
This isn't completely thought through but this is the sort of direction that I
would like rather than making implementation details part of the provider
interface. What do you think?
> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
> Key: HADOOP-10769
> URL: https://issues.apache.org/jira/browse/HADOOP-10769
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
