[jira] [Commented] (HADOOP-14556) S3A to support Delegation Tokens

Fri, 25 Aug 2017 10:13:21 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16141904#comment-16141904
 ] 

Daryn Sharp commented on HADOOP-14556:
--------------------------------------

We've been running with s3 session tokens as delegation tokens for about a 
year.  Would have pushed it back to community except I didn't have time to 
figure out how to write tests.  There are a number of blockers with the 
currently posted patch:

I do notice the semantics of getDelegationToken are completely broken.  It must 
unconditionally fetch a token, regardless of whether the UGI contains one.

The client morphs based on the current user.  This violates the client 
requirement to always remain as the user when it was instantiated.  Security 
flaw.

This also doesn't consider that proxy users need special treatment to avoid 
being tricked into using the wrong credentials.  Security flaw.

I'll toss up my patch today or monday for your consideration.

> S3A to support Delegation Tokens
> --------------------------------
>
>                 Key: HADOOP-14556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14556
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>         Attachments: HADOOP-14556-001.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via 
> {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; 
> these will be saved in the token and  marshalled with jobs
> * A new authentication provider will look for a token for the current user 
> and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to 
> the initial duration. Also, as you can't request an STS token from a 
> temporary session, IAM instances won't be able to issue tokens.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to