[jira] [Commented] (HDFS-13972) RBF: Support for Delegation Token (WebHDFS)

Wed, 03 Apr 2019 10:29:10 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-13972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16808955#comment-16808955
 ] 

CR Hota commented on HDFS-13972:
--------------------------------

[~elgoiri] Thanks for the review. 

Could you help me understand your concerns better?

Sadly, without this change, we can't support secure create calls. Create calls 
would need datanodes to be able to redirect requests. Challenge is datanode 
report needs super user creds in secured env.

Other ways possible are
 # To relax datanode report functionality in hdfs to NOT expect superuser 
creds. Am not sure if this is the right approach wrt security i.e exposing all 
datanodes to users without superuser creds.
 # To forward requests to namenode first. This would mean 2 redirects and also 
dependency of router to generate yet another token for downstream namenode. 
This flow would be significantly more inefficient compared to current approach.
 # Keep a copy of getDatanode report in a async manner in router, this would 
again get us into tricky situations of consistency and efficiency. For ex, 
create may not be used by a customer at all, but router keep invoking this call 
in regular cadence adding inefficiency and extra load on routers. Also will be 
hard to keep up to date and consistent view of datanodes for the cluster when a 
create call is actually invoked.

If we address this in a follow-up Jira it essentially means not to support 
secured CREATE calls for the time being. 

[~surendrasingh] [~brahmareddy] Could you also help share your thoughts here?

> RBF: Support for Delegation Token (WebHDFS)
> -------------------------------------------
>
>                 Key: HDFS-13972
>                 URL: https://issues.apache.org/jira/browse/HDFS-13972
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>            Reporter: Íñigo Goiri
>            Assignee: CR Hota
>            Priority: Major
>         Attachments: HDFS-13972-HDFS-13891.001.patch, 
> HDFS-13972-HDFS-13891.002.patch, HDFS-13972-HDFS-13891.003.patch, 
> HDFS-13972-HDFS-13891.004.patch, HDFS-13972-HDFS-13891.005.patch, 
> HDFS-13972-HDFS-13891.006.patch, HDFS-13972-HDFS-13891.007.patch, 
> HDFS-13972-HDFS-13891.008.patch, HDFS-13972-HDFS-13891.009.patch, 
> HDFS-13972-HDFS-13891.010.patch, HDFS-13972-HDFS-13891.011.patch, 
> TestRouterWebHDFSContractTokens.java
>
>
> HDFS Router should support issuing HDFS delegation tokens through WebHDFS.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to