[jira] [Commented] (HDFS-9525) hadoop utilities need to support provided delegation tokens

Fri, 11 Dec 2015 10:42:08 -0800 

    [ 
https://issues.apache.org/jira/browse/HDFS-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15053170#comment-15053170
 ] 

Daryn Sharp commented on HDFS-9525:
-----------------------------------

[~aw]  [~heesoo] -1.  Revert everything (I have a knack for screwing up git or 
I would do it) except the multiple token file support which is what this jira 
purported to do.  Never make fundamental security changes under an innocent 
sounding title.

# You _cannot_ get a token with a token.  That effectively killed security.  
What's the purpose of having an expiration if I can steal a token and use it to 
get new tokens forever?
# When you see a test explicitly stating that you can't use a token to get a 
token, you don't delete it.
# When you see a test called {{testPrivateTokenExclusion}}, that deals with 3 
tokens, with the comment "// Ensure only non-private tokens are returned", you 
don't change the assert from 1 to 3.
# In general, when you touch something security related and tests break - best 
case is unacceptable incompatibility.  Worst case, this.

I'm sorry for my tone.  Tremendous effort was spent to stabilize webhdfs for 
production usage.  Ignoring the security implications, handling of token 
acquisition, spnego contexts, and renewal was a terrible problem.  If I've 
misinterpreted the patch, please correct me.


> hadoop utilities need to support provided delegation tokens
> -----------------------------------------------------------
>
>                 Key: HDFS-9525
>                 URL: https://issues.apache.org/jira/browse/HDFS-9525
>             Project: Hadoop HDFS
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>            Assignee: HeeSoo Kim
>            Priority: Blocker
>             Fix For: 3.0.0
>
>         Attachments: HDFS-7984.001.patch, HDFS-7984.002.patch, 
> HDFS-7984.003.patch, HDFS-7984.004.patch, HDFS-7984.005.patch, 
> HDFS-7984.006.patch, HDFS-7984.007.patch, HDFS-7984.patch
>
>
> When using the webhdfs:// filesystem (especially from distcp), we need the 
> ability to inject a delegation token rather than webhdfs initialize its own.  
> This would allow for cross-authentication-zone file system accesses.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to