[
https://issues.apache.org/jira/browse/HDFS-13532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16545863#comment-16545863
]
Íñigo Goiri commented on HDFS-13532:
------------------------------------
Thanks [~crh] for [^RBF _ Security delegation token thoughts.pdf].
Approach #1 has the flavor of a gateway and I think that Approach #2 is the
closest to the HDFS philosophy.
I would vote for that #2 which is close to what [~zhengxg3] proposed in
[^Security_for_Router-based Federation_design_doc.pdf].
Regarding approach #2:
* As you mentioned, it imposes some restrictions on the State Store but we can
implement the fully consistent implementation in paralle.
* Merging and storing the tokens can be somewhat similar to what the NN
currently does. It'd be good to have more details but we could leave those
details to HDFS-13358.
Anyway, once we agree that #2 is the right way to do, we can do a detailed
document.
Regarding the questions from [~xiaochen], I think that the assumption is
correct: the user would authenticate to the Router using regular Kerberos and
that's a strong requirement for the Router to forward to the Routers. Regarding
the token renewal, the Router would be the one forwarding the RM
renewal/cancellation.
> RBF: Adding security
> --------------------
>
> Key: HDFS-13532
> URL: https://issues.apache.org/jira/browse/HDFS-13532
> Project: Hadoop HDFS
> Issue Type: New Feature
> Reporter: Íñigo Goiri
> Assignee: Sherwood Zheng
> Priority: Major
> Attachments: RBF _ Security delegation token thoughts.pdf,
> Security_for_Router-based Federation_design_doc.pdf
>
>
> HDFS Router based federation should support security. This includes
> authentication and delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
