[jira] [Commented] (HADOOP-11181) o.a.h.security.token.delegation.DelegationTokenManager should be more generalized to handle other DelegationTokenIdentifier

[Zhijie Shen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-11181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14169890#comment-14169890
 ] 

Zhijie Shen commented on HADOOP-11181:
--------------------------------------

It is required because DelegationTokenAuthenticationFilter has the assumption 
that the delegation token it is dealing with is 
*.web.DelegationTokenIdentifier, which is not always true given it allows to 
hook external secretManager. In RM (YARN-2656) and timeline server (YARN-2676), 
we're going to hook the YARN's secretManager, and process the delegation token 
extended from YARNDelegationTokenIdentifier, which unfortunately doesn't extend 
*.web.DelegationTokenIdentifier, but their common ancestor, 
AbstractDelegationTokenIdentifier. That's why I need to generalized the common 
code, such that we can pass in our sub-type delegation token.

Importantly, our delegation token created by YARN's secretManager is serialized 
in YARN's customized method, but DelegationTokenSecretyManager is using 
*.web.DelegationTokenIdentifier's method to deserialize it, hence resulting 
error.

> o.a.h.security.token.delegation.DelegationTokenManager should be more 
> generalized to handle other DelegationTokenIdentifier
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11181
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11181
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>            Reporter: Zhijie Shen
>            Assignee: Zhijie Shen
>         Attachments: HADOOP-11181.1.patch
>
>
> While DelegationTokenManager can set external secretManager, it have the 
> assumption that the token is going to be 
> o.a.h.security.token.delegation.DelegationTokenIdentifier, and use 
> DelegationTokenIdentifier method to decode a token. 
> {code}
>   @SuppressWarnings("unchecked")
>   public UserGroupInformation verifyToken(Token<DelegationTokenIdentifier>
>       token) throws IOException {
>     ByteArrayInputStream buf = new 
> ByteArrayInputStream(token.getIdentifier());
>     DataInputStream dis = new DataInputStream(buf);
>     DelegationTokenIdentifier id = new DelegationTokenIdentifier(tokenKind);
>     id.readFields(dis);
>     dis.close();
>     secretManager.verifyToken(id, token.getPassword());
>     return id.getUser();
>   }
> {code}
> It's not going to work it the token kind is other than 
> web.DelegationTokenIdentifier. For example, RM want to reuse it but hook it 
> to RMDelegationTokenSecretManager and RMDelegationTokenIdentifier, which has 
> the customized way to decode a token.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)