[
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052545#comment-14052545
]
Alejandro Abdelnur commented on HADOOP-10769:
---------------------------------------------
[~lmccay],
bq. So - you don't think that it makes sense to add a method that can move a
list of specified keyversions into the credentials object? That seems to imply
that all keys will be fetched at runtime rather than those we know about at
submission time being added then.
After reading your question, I wonder if this was not the disconnect in the
discussion.
This patch is not about adding keys itself to the credentials, but for
delegation token for tasks to be able to interact with the keyprovider without
a kerberos session.
Your self answer is right on the usecase we are interested here.
On making things generic, I see the merit of that, though I don’t think is the
scope of this JIRA.
Sure, we’ll go with the extension pattern then.
[~asuresh], I think the right method to have in the extension, as [~atm]
pointed out, is {{addDelegationTokens()}} with similar to signature to the
{{FileSystem}} API.
> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
> Key: HADOOP-10769
> URL: https://issues.apache.org/jira/browse/HADOOP-10769
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.0.0
> Reporter: Alejandro Abdelnur
> Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
