[jira] [Commented] (HADOOP-10769) Add getDelegationToken() method to KeyProvider

Wed, 02 Jul 2014 09:58:08 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14050319#comment-14050319
 ] 

Larry McCay commented on HADOOP-10769:
--------------------------------------

I fully understand your intent here but you seem to be missing the fact that 
the provider API is a client side abstraction to an arbitrary key provider or 
providers. 

bq. If you deploy an external provider via KMS you get then additional benefits 
out of the box: scalability, caching, isolated DEK management.

All of the benefits of the KMS are wonderful and can be easily added to simple 
providers by plugging them into the KMS server. However, more sophisticated key 
management solutions will provide these themselves and the key provider 
interface on the client side shouldn't impose the need for a method that is 
extraneous to the given provider. The need for getting a DelegationToken is a 
reasonable requirement for a specific provider - in this case the 
KMSClientKeyProvider but it isn't something that needs to be done for all 
implementations.

bq. Also, note that the getDelegationToken() it does not handle authentication, 
just getting a delegation token. Authentication is assumed to be done via UGI 
mechanisms.

Perhaps I am missing something - my understanding is that you need 
getDelegationToken so that you can get it from the KMS to allow for 
"authentication" to the KMS later from services/tasks that will get the token 
from the credentials file for the job submission in order to request a key from 
the KMS. Is this incorrect?

My proposal is to allow for this very capability through a more generic 
contract with the key providers.


> Add getDelegationToken() method to KeyProvider
> ----------------------------------------------
>
>                 Key: HADOOP-10769
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10769
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Arun Suresh
>
> The KeyProvider API needs to return delegation tokens to enable access to the 
> KeyProvider from processes without Kerberos credentials (ie Yarn containers).
> This is required for HDFS encryption and KMS integration.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to