[
https://issues.apache.org/jira/browse/HADOOP-13945?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15895301#comment-15895301
]
Mingliang Liu commented on HADOOP-13945:
----------------------------------------
Patch looks good to me overall. For a few places using UGI, I need 2nd opinion.
[[email protected]] I'll hold on commit 3 days in case you'd like to review.
# {{fs.azure.authorization.remote.service.url}} should be a separate constant
final variable as well as a config key (e.g. in core-default.xml)?
# In code to log a message, let's keep the exception in log message. e.g.
{code:title=RemoteSASKeyGeneratorImpl#initialize()}
LOG.error("Error in fetching the WASB delegation token");
{code}
# I see at least two places using the logic of finding the expected token,
{code}
114 Iterator<Token<? extends TokenIdentifier>> tokenIterator = null;
115 try {
116 tokenIterator =
UserGroupInformation.getCurrentUser().getCredentials()
117 .getAllTokens().iterator();
118 while (tokenIterator.hasNext()) {
119 Token<? extends TokenIdentifier> iteratedToken =
tokenIterator.next();
120 if
(iteratedToken.getKind().equals(WasbDelegationTokenIdentifier.TOKEN_KIND)) {
121 delegationToken = iteratedToken.encodeToUrlString();
122 }
123 }
{code}
Can we use
{{UserGroupInformation.getCurrentUser().getCredentials().getToken(WasbDelegationTokenIdentifier.TOKEN_KIND)}}?
We have to test this.
# {{if (isSecurityEnabled && (delegationToken != null &&
!delegationToken.isEmpty()))}}. This is a nit. We don't need {{()}} for &&
right?
# {{package-info.java}} is preferred to {{package.html}} since Java 5.
# I see a few duplicate code, can we create a helper method for that? e.g.
{code}
94 final UserGroupInformation ugi =
UserGroupInformation.getCurrentUser();
95 UserGroupInformation connectUgi = ugi.getRealUser();
96 final UserGroupInformation proxyUser = connectUgi;
97 if (connectUgi == null) {
98 connectUgi = ugi;
99 }
100 if(!connectUgi.hasKerberosCredentials()){
101 connectUgi = UserGroupInformation.getLoginUser();
102 }
{code}
and
{code}
72 final String credServiceUrl =
conf.get(Constants.KEY_CRED_SERVICE_URL,
73 String.format("http://%s:%s";,
74 InetAddress.getLocalHost().getCanonicalHostName(),
75 Constants.DEFAULT_CRED_SERVICE_PORT));
{code}
> Azure: Add Kerberos and Delegation token support to WASB client.
> ----------------------------------------------------------------
>
> Key: HADOOP-13945
> URL: https://issues.apache.org/jira/browse/HADOOP-13945
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs/azure
> Affects Versions: 2.8.0
> Reporter: Santhosh G Nayak
> Assignee: Santhosh G Nayak
> Attachments: HADOOP-13945.1.patch, HADOOP-13945.2.patch,
> HADOOP-13945.3.patch, HADOOP-13945.4.patch, HADOOP-13945.5.patch
>
>
> Current implementation of Azure storage client for Hadoop ({{WASB}}) does not
> support Kerberos Authentication and FileSystem authorization, which makes it
> unusable in secure environments with multi user setup.
> To make {{WASB}} client more suitable to run in Secure environments, there
> are 2 initiatives under way for providing the authorization (HADOOP-13930)
> and fine grained access control (HADOOP-13863) support.
> This JIRA is created to add Kerberos and delegation token support to {{WASB}}
> client to fetch Azure Storage SAS keys (from Remote service as discussed in
> HADOOP-13863), which provides fine grained timed access to containers and
> blobs.
> For delegation token management, the proposal is it use the same REST service
> which being used to generate the SAS Keys.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
