[
https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-14556:
------------------------------------
Status: Patch Available (was: Open)
HADOOP-14556 patch 003
* rebased to trunk
* move everything new to auth package
* conflicts with pending HADOOP-15583 patch, as the ddb credential wire up here
is obsoleted by that.
This is purely a rebase to see where things are, and to *probably* get jenkins
to recompile. Not compiled or tested mysef.
To get this in
# needs HADOOP-15583 in first, this patch reworked
# needs to move to the plugin model I've proposed, with marshalled credentials
including info about it
# Plus of course: all Daryn's comments. Will need to think about testing that
user-level scoping.
For a simple "full credentials DT" (which still gets secrets to a service),
which should also work with 3rd party stores
* place keys and encryption info in DT; send over wire, decode and auth.
session/AssumedRole DT provider
* get long-life keys
* option for role/session should be restricted to the specific bucket, ddb
table (and all kms keys) of the destination
I'm slightly worried about the impact asking for lots of session tokens could
have on launch; will need retry logic there in case the whole account is
overloaded for (undocumented) STS limits, as every bucket will have an STS call
made @ launch time.
> S3A to support Delegation Tokens
> --------------------------------
>
> Key: HADOOP-14556
> URL: https://issues.apache.org/jira/browse/HADOOP-14556
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 2.8.1
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch,
> HADOOP-14556-003.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via
> {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id;
> these will be saved in the token and marshalled with jobs
> * A new authentication provider will look for a token for the current user
> and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to
> the initial duration. Also, as you can't request an STS token from a
> temporary session, IAM instances won't be able to issue tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
