[
https://issues.apache.org/jira/browse/HDFS-13532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16517575#comment-16517575
]
Xiao Chen edited comment on HDFS-13532 at 6/19/18 10:00 PM:
------------------------------------------------------------
Thanks for the work here [~zhengxg3] and all. The last page of the doc looks
familiar. :)
Some high level questions from the doc. I have not followed RBF closely and my
apologies if these are stupid comments/questions...
* I second what Inigo said above. It's not clear to me how DTr is used.
* It looks like we'll add the same mechanism to the router, so clients can
auth with kerberos, then get a delegation token for subsequent authentications.
Is this understanding correct?
* I'm not a very security person - the router proxying as client part seems
fine. But IMO that should only work if the client auth'ed via kerberos; if
client->router auth is dt, then router should not auth to NN via kerberos, but
only via the provided DTnn.
* Who's gonna renew the router tokens? Tokens from different NNs may have
different expiration time, hence need to be renewed at different intervals. RM
currently does this, it's kinda nice to reuse RM to handle the DTr token
renewal / cancelation.
* [~daryn] at one point mentioned he's working on some token issuer interface.
Not sure if it will benefit/collide with the work here.
was (Author: xiaochen):
Thanks for the work here [~zhengxg3] and all. The last page of the doc looks
familiar. :)
Some high level questions from the doc. I have not followed RBF closely and my
apologies if these are stupid questions...
* I second what Inigo said above. It's not clear to me how DTr is used.
* It looks like we'll add the same mechanism to the router, so clients can
auth with kerberos, then get a delegation token for subsequent authentications.
Is this understanding correct?
* I'm not a very security person - the router proxying as client part seems
fine. But IMO that should only work if the client auth'ed via kerberos; if
client->router auth is dt, then router should not auth to NN via kerberos, but
only via the provided DTnn.
* Who's gonna renew the router tokens? Tokens from different NNs may have
different expiration time, hence need to be renewed at different intervals. RM
currently does this, it's kinda nice to reuse RM to handle the DTr token
renewal / cancelation.
* [~daryn] at one point mentioned he's working on some token issuer interface.
Not sure if it will benefit/collide with the work here.
> RBF: Adding security
> --------------------
>
> Key: HDFS-13532
> URL: https://issues.apache.org/jira/browse/HDFS-13532
> Project: Hadoop HDFS
> Issue Type: New Feature
> Reporter: Íñigo Goiri
> Assignee: Sherwood Zheng
> Priority: Major
> Attachments: Security_for_Router-based Federation_design_doc.pdf
>
>
> HDFS Router based federation should support security. This includes
> authentication and delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
