[
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050712#comment-14050712
]
Aaron T. Myers commented on HADOOP-10769:
-----------------------------------------
Larry/Tucu - I sort of half agree with both of you. I agree with Tucu that the
suggestion of introducing a new "getKeyProviderContext" API is fairly
unprecedented and seems fragile. I also agree with Larry, though, that it's not
unreasonable for the KeyProvider API to not know anything about
DelegationTokens - seems like separate concerns.
My suggestion is to use the KeyProviderExtension mechanism being introduced by
HADOOP-10719 to add DT support to only the KMSClientKeyProvider. Thoughts?
> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
> Key: HADOOP-10769
> URL: https://issues.apache.org/jira/browse/HADOOP-10769
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
