[jira] [Commented] (HADOOP-14104) Client should always ask namenode for kms provider path.

Fri, 03 Mar 2017 13:35:15 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15895062#comment-15895062
 ] 

Yongjun Zhang commented on HADOOP-14104:
----------------------------------------

Hi [~daryn],

Took a further look, my understanding is:

Credentials is an object stored in UGI, and it is passed around to various 
components such as mappers and reducers to get a job done. The Credentials 
object contains two maps:
{code}
  private  Map<Text, byte[]> secretKeysMap = new HashMap<Text, byte[]>();
  private  Map<Text, Token<? extends TokenIdentifier>> tokenMap =
      new HashMap<Text, Token<? extends TokenIdentifier>>();
{code}

When initializing the Credentials object for the client, the token map is 
populated by asking NN for the tokens with FSNamesystem#getDelegationToken(Text 
renewer)

The secretKeysMap is populated by UserProvider.

To add fs/keyProvider entries to secretKeysMap, we call getServerDefaults once 
to get back the keyProvider info, and update secretKeysMap with entries <fs, 
keyProvider>.

Is that understanding correct?

Thanks.

--Yongjun


> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>
>                 Key: HADOOP-14104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14104
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>         Attachments: HADOOP-14104-trunk.patch, HADOOP-14104-trunk-v1.patch
>
>
> According to current implementation of kms provider in client conf, there can 
> only be one kms.
> In multi-cluster environment, if a client is reading encrypted data from 
> multiple clusters it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to