[
https://issues.apache.org/jira/browse/STORM-346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14042671#comment-14042671
]
Robert Joseph Evans commented on STORM-346:
-------------------------------------------
Sorry I did throw up a design or explain this very well.
IAutoCredentials right now only has APIs to fetch credentials on the client
side, and then use them on the topology side to populate a Subject. For this
we need to extend it so that it could also fetch the credentials on nimbus when
the topology is submitted (if it is configured to do so).
So for an HDFS delegation token I would expect the code to do something like
the following.
# The client would submit a topology with a config set that says it wants hdfs
delegation tokens. i.e.
topology.autohdfs.namenodes=["hdfs://foo.com/","hdfs://bar.com"]
# Nimbus before if finished submitting the topology it runs the configured
IAutoCredentials instances (Probably need a new config for this, or extend
ICredentialsRenewer to also take the topology config).
## AutoHDFS would look at the config and become a proxy user for the different
NameNodes to fetch the delegation token and put it into the credentials.
# On the topology side AutoHDFS would take the delegation token and populate it
into the UGI.
Periodically Nimbus would run AutoHDFS as an ICredentialsRenewer. If the token
needs to be renewed it would connect to the name node and renew it. If the
renewal period is about to expire it would fetch a new delegation token, and
replace the old one in the credentials map.
For HBase it should be similar, but replace hdfs with hbase. I have heard
though that for this to work properly hbase may need a fix too. Some people I
have talked to have indicated that the RPC layer of HBase caches the delegation
token, so even if it is updated in the UGI it will not be used to make new
connections to HBase, but I don't know for sure.
> (Security) Oozie style delegation tokens for HDFS/HBase
> -------------------------------------------------------
>
> Key: STORM-346
> URL: https://issues.apache.org/jira/browse/STORM-346
> Project: Apache Storm (Incubating)
> Issue Type: Bug
> Reporter: Robert Joseph Evans
> Assignee: Parth Brahmbhatt
> Labels: security
>
> Oozie has the ability to fetch delegation tokens on behalf of other users by
> running as a super user that can become a proxy user for almost anyone else.
> We should build one or more classes similar to AutoTGT that can fetch a
> delegation token for HDFS/HBase, renew the token if needed, and then once the
> token is about to permanently expire fetch a new one.
> According to some people I have talked with HBase may need to have a JIRA
> filed against it so that it can pick up a new delegation token without
> needing to restart the process.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
