[jira] [Commented] (HADOOP-14556) S3A to support Delegation Tokens

Tue, 14 Aug 2018 13:17:51 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16580370#comment-16580370
 ] 

Steve Loughran commented on HADOOP-14556:
-----------------------------------------

OK, looking at your patch, the key thing is that the canonical name includes 
the session key, so that you can have >1 FS instance for a bucket & get unique 
keys. 

But now I'm confused about how references to s3a URLs are managed across apps.

e.g 

spark-submit with dest = s3a://bucket

# client: get DT for bucket containing session or assumed role secrets
# YARN: marshall DTs from launch request to launched AM
# Spark AM: given a destination of s3a://bucket, locate the credentials for 
that specific bucket.

action #3 is what confuses me: if we're inserting session IDs into buckets, how 
to know which to look up? Or will it be that you can just invent a session id 
to refer to a specific FS instantiation at both ends?

I think we also need to take the knife to user:secret in s3a URLs HADOOP-14833. 
That's fine, I've been looking forward to deleting that code for a while. 

> S3A to support Delegation Tokens
> --------------------------------
>
>                 Key: HADOOP-14556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14556
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Major
>         Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch, 
> HADOOP-14556-003.patch, HADOOP-14556-004.patch, HADOOP-14556.oath.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via 
> {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; 
> these will be saved in the token and  marshalled with jobs
> * A new authentication provider will look for a token for the current user 
> and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to 
> the initial duration. Also, as you can't request an STS token from a 
> temporary session, IAM instances won't be able to issue tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to