[
https://issues.apache.org/jira/browse/HDFS-13532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16784661#comment-16784661
]
Brahma Reddy Battula commented on HDFS-13532:
---------------------------------------------
{quote}(1) router takes over delegation tokens management from namenodes at
all, (2) namenode only maintain delegation token request from router. right?
IIUC, maybe there are no graceful gray solution to upgrade clients
{quote}
Yes, DelegationToken Management is moved to Router.
{quote} Consider about one job submit to YARN from client which is upgrade to
support RBF, and all delegation tokens are distributed from router, but if yarn
still not upgrade, all executors will authenticate fail to namenode since
delegation token is not matching. Of course this issue is also true if upgrade
yarn first then client.
{quote}
Did you try it..? do you've failed logs..? As there is no client side changes
for this, should not be problem and jobconf.xml will be passed to
ResourceManager so RM also will connect to router to validate the tokens. Need
to check JHS/ATS when mount point and configured history location is different.
{quote}2. any performance test results about zookeeper which manage massive
delegation tokens? I am not very familiar with zookeeper, and if there are
obvious performance differences between zookeeper and memory at namenode before
RBF. If no evaluation, I would like to test it later.
3. if znode number impact performance of delegation token request in zookeeper?
delegation token request ops is very high for a large cluster, for instance,
1000K jobs every day and the maximum lifetime for which a delegation token is
valid set default by 7 days, in the worst case, it will backlog 7000K znodes at
all. some risk for more large cluster?
{quote}
May be [~elgoiri] or [~crh] can update on this.
{quote}4. any plan to support different approach and let user to choice?
{quote}
Yes, it's pluggable. can configure using
"dfs.federation.router.secret.manager.class".
[~crh] and [~elgoiri] do correct me if I am wrong.
> RBF: Adding security
> --------------------
>
> Key: HDFS-13532
> URL: https://issues.apache.org/jira/browse/HDFS-13532
> Project: Hadoop HDFS
> Issue Type: New Feature
> Reporter: Íñigo Goiri
> Assignee: CR Hota
> Priority: Major
> Attachments: RBF _ Security delegation token thoughts.pdf, RBF _
> Security delegation token thoughts_updated.pdf, RBF _ Security delegation
> token thoughts_updated_2.pdf, RBF-DelegationToken-Approach1b.pdf, RBF_
> Security delegation token thoughts_updated_3.pdf, Security_for_Router-based
> Federation_design_doc.pdf
>
>
> HDFS Router based federation should support security. This includes
> authentication and delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
