[
https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-14556:
------------------------------------
Status: Patch Available (was: Open)
Patch 012; checkstyle and weekly update patch
* adding options to core-default.xml
* address previous patch javadoc issues
main change is that the session token will lift and forward any existing
session credentials its auth chain provides. The standard DT login chain is
"simple" (full keys in config options) and env vars, but if the env vars are
session vars or the chain is configured to use Temporary credentials then those
creds are marshalled into the DT *after a warning is logged*
the warning & docs cover a limitation of forwarding: the token life is now that
of the existing credentials, which we don't know. But: it allows people who
only have session creds (e.g. issued by 2FA) to pass them on as DTs.
role DTs don't handle this: you can't call STS.assumeRole with session tokens
TODO
* add a test for session credential forwarding
* salvage something from the MR test which uses a mock yarn client for job
submit, so avoids the challenge of getting a secure mini yarn cluster up.
* only log that forwarding once
> S3A to support Delegation Tokens
> --------------------------------
>
> Key: HADOOP-14556
> URL: https://issues.apache.org/jira/browse/HADOOP-14556
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3
> Affects Versions: 3.2.0
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Major
> Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch,
> HADOOP-14556-003.patch, HADOOP-14556-004.patch, HADOOP-14556-005.patch,
> HADOOP-14556-007.patch, HADOOP-14556-008.patch, HADOOP-14556-009.patch,
> HADOOP-14556-010.patch, HADOOP-14556-010.patch, HADOOP-14556-011.patch,
> HADOOP-14556-012.patch, HADOOP-14556.oath-002.patch, HADOOP-14556.oath.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via
> {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id;
> these will be saved in the token and marshalled with jobs
> * A new authentication provider will look for a token for the current user
> and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to
> the initial duration. Also, as you can't request an STS token from a
> temporary session, IAM instances won't be able to issue tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
