Dian Fu created HADOOP-11330:
--------------------------------
Summary: KMSClientProvider should use
PseudoDelegationTokenAuthenticator as the Authenticator when security is
disabled to improve performance
Key: HADOOP-11330
URL: https://issues.apache.org/jira/browse/HADOOP-11330
Project: Hadoop Common
Issue Type: Improvement
Components: kms, security
Reporter: Dian Fu
In the class KMSClientProvider, it connect with KMS with the following method:
{code}
private HttpURLConnection createConnection(final URL url, String method)
throws IOException {
HttpURLConnection conn;
try {
...
// creating the HTTP connection using the current UGI at constructor time
conn = loginUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() {
@Override
public HttpURLConnection run() throws Exception {
DelegationTokenAuthenticatedURL authUrl =
new DelegationTokenAuthenticatedURL(configurator);
return authUrl.openConnection(url, authToken, doAsUser);
}
});
} catch (IOException ex) {
throw ex;
} catch (UndeclaredThrowableException ex) {
throw new IOException(ex.getUndeclaredThrowable());
} catch (Exception ex) {
throw new IOException(ex);
}
...
}
{code} By default, DelegationTokenAuthenticatedURL will use
KerberosDelegationTokenAuthenticator as the Authenticator. We can set
PseudoDelegationTokenAuthenticator as the Authenticator when security is
disabled to improve performance. This will reduce one authentication process
between client and KMS server.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
