Alexandre Linte created HDFS-11393:
--------------------------------------
Summary: Hadoop KMS contacted by jobs which don’t use KMS
encryption
Key: HDFS-11393
URL: https://issues.apache.org/jira/browse/HDFS-11393
Project: Hadoop HDFS
Issue Type: Wish
Environment: Hadoop 2.7.3, Spark 1.6.3 on Yarn, Oozie 4.2.3
Cluster secured with Kerberos
Reporter: Alexandre Linte
Priority: Minor
Hello,
After few days of usage of Hadoop KMS in our pre-production platform, it was
noticed that after restarting resourcemanagers, all Yarn jobs generated on the
platform interrogated the KMS server, even if the didn't process encrypted
information.
{noformat}
2016-11-23 10:58:47,708 DEBUG AuthenticationFilter - Request
[http://uabigkms01:16000/kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fuabigrm01%40SANDBOX.HADOOP]
triggering authentication
2016-11-23 10:58:47,735 DEBUG AuthenticationFilter - Request
[http://uabigkms01:16000/kms/v1/?op=GETDELEGATIONTOKEN&renewer=rm%2Fuabigrm01%40SANDBOX.HADOOP]
user xxxx authenticated
{noformat}
Indeed after research we see that KMS supports delegation token to authenticate
to the Java KeyProvider by processes without Kerberos credentials.
Is there a way to bypass Delegation Token on KMS and just contact KMS when jobs
or user into HDFS use encrypted data ?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
