[
https://issues.apache.org/jira/browse/HADOOP-14640?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Santhosh G Nayak updated HADOOP-14640:
--------------------------------------
Attachment: HADOOP-14640.2.patch
Thanks [~jnp] for reviewing the patch.
Yes. {{AuthenticatedURL.Token}} does not provide the expiry time of the token.
So, introduced {{SpnegoToken}} class to represent {{SPNEGO}} token, which
provides information about the validity of the token along with the token
itself.
Token used in {{hadoop.auth}} cookie follows SPNEGO standard and will have
expiry time (represented as {{e}}) in it. So, I think it will be better, if we
can reuse that information, instead of setting different expiry time on our end
and treating it opaque.
Regarding {{expiryTime > System.currentTimeMillis() + 1000 * 60 * 5L}}, adding
5 minutes buffer to proactively get new token to save additional network calls
of requests which can definitely fail because of the token expiry and to
eliminate any issues which can arise because of time difference between
machines (if any).
I have attached another patch addressing the checkstyle related comments and a
bug fix where impersonation context is getting lost in
{{SecureWasbRemoteCallHelper.getHttpRequest()}} as it is being invoked inside
{{ugi.doAs()}}.
> Azure: Support affinity for service running on localhost and reuse SPNEGO
> hadoop.auth cookie for authorization, SASKey and delegation token generation
> ------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-14640
> URL: https://issues.apache.org/jira/browse/HADOOP-14640
> Project: Hadoop Common
> Issue Type: Improvement
> Components: fs/azure
> Affects Versions: 2.9.0
> Reporter: Santhosh G Nayak
> Assignee: Santhosh G Nayak
> Labels: security
> Attachments: HADOOP-14640.1.patch, HADOOP-14640.2.patch
>
>
> Currently, {{WasbRemoteCallHelper}} can be configured to talk to comma
> separated list of URLs for authorization, SASKey generation and delegation
> token generation.
> To improve the performance, if service runs on the local machine, give it
> first preference over the other configured list of URLs.
> Currently, {{WasbRemoteCallHelper}} generates {{hadoop.auth}} cookie for
> every request by talking to the remote service, before making actual rest
> requests.
> The proposal is to reuse the {{hadoop.auth}} cookie for subsequent requests
> from same {{WasbRemoteCallHelper}} object until its expiry time.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
