[
https://issues.apache.org/jira/browse/HADOOP-6373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Owen O'Malley updated HADOOP-6373:
----------------------------------
Attachment: token.patch
Here is a rough sketch of what I'd propose. The relevant differences:
1. The TokenIdentifiers are pulled out and made into classes. Each kind of
Token will define three classes:
a. The TokenIdentifier class that contains the fields of the token.
b. The TokenPicker class searches through the tokens in a user's Subject to
find the token for a given RPC connection.
c. The SecretManager class handles the secrets that are used to create and
validate the tokens.
2. The serialization of each of the TokenIdentifiers is done via standard
Writable interfaces.
3. The client-side Tokens are not sub-classed. They just contain bytes for the
serialized token identifier and corresponding password. They also have a
"kind", which represents what kind of token they are, and "service", which
represents which instance of the service the token is for. For HDFS delegation
tokens, they would be "hdfs.delegation" and "$namenode:$port".
4. The TokenIdentifiers are subclassed and store their values as explicit
fields, which makes using their values much easier. It will also be easier to
move over to Avro when our RPC supports it. That will simplify putting in
versioning into the token identifiers.
5. Using thread local Mac's means that the servers don't need to hold a global
lock while they compute the HMAC-SHA1.
6. Dividing up the token handlers into SecretManagers means that all of the
common code for interfacing to SASL will be shared.
> adding delegation token implementation
> --------------------------------------
>
> Key: HADOOP-6373
> URL: https://issues.apache.org/jira/browse/HADOOP-6373
> Project: Hadoop Common
> Issue Type: Sub-task
> Reporter: Kan Zhang
> Assignee: Kan Zhang
> Attachments: partial1.patch, token.patch
>
>
> The over-all design of delegation token is given in HADOOP-4343. This subtask
> is for detailed design and implementation.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
