[
https://issues.apache.org/jira/browse/HDFS-12284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16667645#comment-16667645
]
Brahma Reddy Battula edited comment on HDFS-12284 at 10/29/18 8:00 PM:
-----------------------------------------------------------------------
Thanks for working on this jira.
IIUC,Daryn was telling about following,for each operaion ugi is getting
created(ugi construction).
{code:java}
258 UserGroupInformation connUGI = ugi;
259 if (UserGroupInformation.isSecurityEnabled()) {
260 UserGroupInformation routerUser = UserGroupInformation.getLoginUser();
261 connUGI = UserGroupInformation.createProxyUser(
262 ugi.getUserName(), routerUser);
263 }
264 connection = this.connectionManager.getConnection(
265 connUGI, rpcAddress, proto);
{code}
{quote}I plan to enhance the connection pooling part by introducing synchronous
connection creation using semaphore semantics instead of the current
asynchronous connection creation.
{quote}
Mostly this can address, just we need to aviod when proxy user is already
constructed.
{quote}The temporary solution for this JIRA is to add the definition of
dfs.federation.router.kerberos.internal.spnego.principal to
SecurityConfUtil#initSecurity().
Thoughts?
{quote}
Yes, we should this config like all other configs to start router http server.
{quote}We can create another ticket for adding hdfs-rbf-default.xml in
HdfsConfiguration, but wondering how it will work for NameNode? Because in a
namenode scenario, hdfs-rbf-default.xml may not be in the classpath.
{quote}
AFAIK..Just one more file ( hdfs-rbf*) will be added to classpath of
Namenode,DataNode..I dn't think,user will configure namenode/datanode configs
in this file,so this will not impact these process.
I think, Newly added testcases are not using the state store( as zk address is
not used..) and requests are not going to through router.
We should commit this ASAP, as this blocks delegation token impl,[~crh] can you
update delegation toke proto type based on this..?
was (Author: brahmareddy):
Thanks for working on this jira.
IIUC,Daryn was telling about following,for each operaion ugi is getting
created(ugi construction).
{code:java}
258 UserGroupInformation connUGI = ugi;
259 if (UserGroupInformation.isSecurityEnabled()) {
260 UserGroupInformation routerUser = UserGroupInformation.getLoginUser();
261 connUGI = UserGroupInformation.createProxyUser(
262 ugi.getUserName(), routerUser);
263 }
264 connection = this.connectionManager.getConnection(
265 connUGI, rpcAddress, proto);
{code}
{quote}I plan to enhance the connection pooling part by introducing synchronous
connection creation using semaphore semantics instead of the current
asynchronous connection creation.
{quote}
Mostly this can address, just we need to aviod when proxy user is already
constructed.
{quote}The temporary solution for this JIRA is to add the definition of
dfs.federation.router.kerberos.internal.spnego.principal to
SecurityConfUtil#initSecurity().
Thoughts?
{quote}
Yes, we should this config like all other configs to start router http server.
{quote}We can create another ticket for adding hdfs-rbf-default.xml in
HdfsConfiguration, but wondering how it will work for NameNode? Because in a
namenode scenario, hdfs-rbf-default.xml may not be in the classpath.
{quote}
AFAIK..Just one more file ( hdfs-rbf*) will be added to classpath of
Namenode,DataNode..I dn't think,user will configure namenode/datanode configs
in this file,so this will not impact these process.
I think, Newly added testcases are not using the state store( as zk address is
not used..)
We should commit this ASAP, as this blocks delegation token impl,[~crh] can you
update delegation toke proto type based on this..?
> RBF: Support for Kerberos authentication
> ----------------------------------------
>
> Key: HDFS-12284
> URL: https://issues.apache.org/jira/browse/HDFS-12284
> Project: Hadoop HDFS
> Issue Type: Sub-task
> Components: security
> Reporter: Zhe Zhang
> Assignee: Sherwood Zheng
> Priority: Major
> Attachments: HDFS-12284-HDFS-13532.004.patch,
> HDFS-12284-HDFS-13532.005.patch, HDFS-12284-HDFS-13532.006.patch,
> HDFS-12284-HDFS-13532.007.patch, HDFS-12284-HDFS-13532.008.patch,
> HDFS-12284-HDFS-13532.009.patch, HDFS-12284-HDFS-13532.010.patch,
> HDFS-12284-HDFS-13532.011.patch, HDFS-12284-HDFS-13532.012.patch,
> HDFS-12284.000.patch, HDFS-12284.001.patch, HDFS-12284.002.patch,
> HDFS-12284.003.patch
>
>
> HDFS Router should support Kerberos authentication and issuing / managing
> HDFS delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
