[ https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050319#comment-14050319 ]
Larry McCay commented on HADOOP-10769: -------------------------------------- I fully understand your intent here but you seem to be missing the fact that the provider API is a client side abstraction to an arbitrary key provider or providers. bq. If you deploy an external provider via KMS you get then additional benefits out of the box: scalability, caching, isolated DEK management. All of the benefits of the KMS are wonderful and can be easily added to simple providers by plugging them into the KMS server. However, more sophisticated key management solutions will provide these themselves and the key provider interface on the client side shouldn't impose the need for a method that is extraneous to the given provider. The need for getting a DelegationToken is a reasonable requirement for a specific provider - in this case the KMSClientKeyProvider but it isn't something that needs to be done for all implementations. bq. Also, note that the getDelegationToken() it does not handle authentication, just getting a delegation token. Authentication is assumed to be done via UGI mechanisms. Perhaps I am missing something - my understanding is that you need getDelegationToken so that you can get it from the KMS to allow for "authentication" to the KMS later from services/tasks that will get the token from the credentials file for the job submission in order to request a key from the KMS. Is this incorrect? My proposal is to allow for this very capability through a more generic contract with the key providers. > Add getDelegationToken() method to KeyProvider > ---------------------------------------------- > > Key: HADOOP-10769 > URL: https://issues.apache.org/jira/browse/HADOOP-10769 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 3.0.0 > Reporter: Alejandro Abdelnur > Assignee: Arun Suresh > > The KeyProvider API needs to return delegation tokens to enable access to the > KeyProvider from processes without Kerberos credentials (ie Yarn containers). > This is required for HDFS encryption and KMS integration. -- This message was sent by Atlassian JIRA (v6.2#6252)