[jira] [Commented] (HDFS-4009) WebHdfsFileSystem and HftpFileSystem don't need delegation tokens

Wed, 10 Oct 2012 10:03:04 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13473368#comment-13473368
 ] 

Owen O'Malley commented on HDFS-4009:
-------------------------------------

You also need delegation tokens for the protocol. The protocol looks like:
* Get or find current delegation token.
* Pass delegation token to datanode as part of request
* Datanode uses delegation token to authenticate as user

The datanodes shouldn't be given the authority to impersonate arbitrary users.
                
> WebHdfsFileSystem and HftpFileSystem don't need delegation tokens
> -----------------------------------------------------------------
>
>                 Key: HDFS-4009
>                 URL: https://issues.apache.org/jira/browse/HDFS-4009
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>    Affects Versions: 2.0.0-alpha
>            Reporter: Tom White
>            Assignee: Karthik Kambatla
>         Attachments: hadoop-8852.patch, hadoop-8852.patch, 
> hadoop-8852-v1.patch
>
>
> Parent JIRA to track the work of removing delegation tokens from these 
> filesystems. 
> This JIRA has evolved from the initial issue of these filesystems not 
> stopping the DelegationTokenRenewer thread they were creating.
> After further investigation, Daryn pointed out - "If you can get a token, you 
> don't need a token"! Hence, these filesystems shouldn't use delegation tokens.
> Evolution of the JIRA is listed below:
> Update 2:
> DelegationTokenRenewer is not required. The filesystems that are using it 
> already have Krb tickets and do not need tokens. Remove 
> DelegationTokenRenewer and all the related logic from WebHdfs and Hftp 
> filesystems.
> Update1:
> DelegationTokenRenewer should be Singleton - the instance and renewer threads 
> should be created/started lazily. The filesystems using the renewer shouldn't 
> need to explicity start/stop the renewer, and only register/de-register for 
> token renewal.
> Initial issue:
> HftpFileSystem and WebHdfsFileSystem should stop the DelegationTokenRenewer 
> thread when they are closed. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to