[
https://issues.apache.org/jira/browse/HADOOP-16298?focusedWorklogId=739295&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-739295
]
ASF GitHub Bot logged work on HADOOP-16298:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 10/Mar/22 06:17
Start Date: 10/Mar/22 06:17
Worklog Time Spent: 10m
Work Description: cbaenziger opened a new pull request #4059:
URL: https://github.com/apache/hadoop/pull/4059
### Description of PR
This PR provides a means to reload authentication credentials from updated
Hadoop delegation tokens similar to how one would reload credentials from an
updated kerberos ticket.
### How was this patch tested?
This patch has been tested via:
* The unit tests
* Via long-running (modified to use the refresh) HBase 1.x clients.
Long-running means through many delegation token refresh cycles
* Further it has been used in non-long running Spark workloads which were
delegation token based
* TODO: I would like to figure out how I can write a unit-test to validate
[the reload for an HA
HDFS|https://github.com/apache/hadoop/compare/trunk...cbaenziger:HADOOP-16298?expand=1#diff-e160685d647b1420f6c56264302c0e1c82ead52e75a31d91fb2a12f0ce9261c4R465-R481]
but I can not find what seems like the correct layer to put such a test. I do
not expect HDFS should be used in a `hadoop-common` layer test; is it okay to
test UGI's behavior in `hadoop-hdfs-project`?
### For code changes:
- [X] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [N/A] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [X] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [N/A] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 739295)
Remaining Estimate: 0h
Time Spent: 10m
> Manage/Renew delegation tokens for externally scheduled jobs
> ------------------------------------------------------------
>
> Key: HADOOP-16298
> URL: https://issues.apache.org/jira/browse/HADOOP-16298
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.7.3, 2.9.0, 3.2.0, 3.3.0
> Reporter: Pankaj Deshpande
> Assignee: Clay B.
> Priority: Major
> Attachments: Proposal for changes to UGI for managing_renewing
> externally managed delegation tokens.pdf
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> * Presently when jobs are run in the Hadoop ecosystem, the implicit
> assumption is that YARN will be used as a scheduling agent with access to
> appropriate keytabs for renewal of kerberos tickets and delegation tokens.
> * Jobs that interact with kerberized hadoop services such as hbase/hive/hdfs
> and use an external scheduler such as Kubernetes, typically do not have
> access to keytabs. In such cases, delegation tokens are a logical choice for
> interacting with a kerberized cluster. These tokens are issued based on some
> external auth mechanism (such as Kube LDAP authentication).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
