[
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050289#comment-14050289
]
Alejandro Abdelnur commented on HADOOP-10769:
---------------------------------------------
It is not the intention, at all, to relegate external providers to be plugged
into KMS to work.
The intention is to enable the Hadoop KeyProvider API with a security pattern
managed and understood by existing Hadoop services: storage, propagation,
renewal of tokens is already handled throughout the platform. The
DelegationToken framework already does all this. And an external provider can
fully leverage this without having to be deployed via KMS.
If you deploy an external provider via KMS you get then additional benefits out
of the box: scalability, caching, isolated DEK management.
Also, note that the {{getDelegationToken()}} it does not handle authentication,
just getting a delegation token. Authentication is assumed to be done via UGI
mechanisms.
Regarding context values for a given provider, UGI credentials are already used
in that way.
Because of this, IMO, I think we are good with DelegationToken support for now.
And I'm happy to consider changes with a concrete example not handled by it
arises.
> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
> Key: HADOOP-10769
> URL: https://issues.apache.org/jira/browse/HADOOP-10769
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
