[
https://issues.apache.org/jira/browse/HADOOP-16120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773016#comment-16773016
]
Steve Loughran commented on HADOOP-16120:
-----------------------------------------
DTs are only collected on application launch, e.g. MapReduce, distcp,
spark-submit, then marshalled to the far end. Once issued, they may be
refreshed, but the rest of the running app (which doesn't have Kerberos
credentials after all) is not only not going to ask for them, it's never going
to have the ability to ask for them.
I think this will have to be a WONTFIX. Sorry.
> Lazily allocate KMS delegation tokens
> -------------------------------------
>
> Key: HADOOP-16120
> URL: https://issues.apache.org/jira/browse/HADOOP-16120
> Project: Hadoop Common
> Issue Type: Improvement
> Components: kms, security
> Affects Versions: 2.8.5, 3.1.2
> Reporter: Ruslan Dautkhanov
> Priority: Major
>
> We noticed that HDFS clients talk to KMS even when they try to access not
> encrypted databases.. Is there is a way to make HDFS clients to talk to KMS
> servers *only* when they need access to encrypted data? Since we will be
> encrypting only one database (and 50+ other much more critical production
> databases will not be encrypted), in case if KMS is down for maintenance or
> for some other reason, we want to limit outage only to encrypted data.
> In other words, it would be great if KMS delegation toekns would be allocated
> lazily - on first request to encrypted data.
> This could be a non-default option to lazily allocate KMS delegation tokens,
> to improve availability of non-encrypted data.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
