[
https://issues.apache.org/jira/browse/HDFS-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481799#comment-13481799
]
Kan Zhang commented on HDFS-4056:
---------------------------------
{quote}
bq. Bottom line is the server should always be able to figure out by itself
whether a connection is an initial connection or a subsequent one, based on the
auth method (and type of credentials) used, since it needs to decide on whether
tokens can be issued for that connection.
The server already uses the auth the client sends in the rpc connection header
to determine the sasl method the client wants to use. The auth to the server
then determines the UGI's auth. The NN does not allow a UGI auth of token to
issue, renew, or cancel tokens.
{quote}
I don't think you get my point. It was a general comment. Since only
connections authenticated using the initial auth method(s) are allowed to fetch
tokens (I assume we keep that behavior), the server needs to be able to make a
determination on whether a connection is authenticated as an initial connection
or a subsequent one. For example, if we were to support SIMPLE + TOKEN and
SIMPLE + SIMPLE simultaneously (I think not), how could the server decide a
connection authenticated with SIMPLE to be an initial connection or not?
bq. If we want to allow compatibility with older clients, then both SIMPLE +
SIMPLE and SIMPLE + TOKEN must both be supported. Enabling the option of SIMPLE
+ TOKEN means we need the secret manager enabled which is the aim of this patch.
I don't see a use case where SIMPLE + SIMPLE and SIMPLE + TOKEN need to be
enabled simultaneously. Can you elaborate? On the other hand, in the SIMPLE +
SIMPLE use case I explained above, it is desirable to be able to turn off any
token related stuff (we can do that today).
> Always start the NN's SecretManager
> -----------------------------------
>
> Key: HDFS-4056
> URL: https://issues.apache.org/jira/browse/HDFS-4056
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: name-node
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HDFS-4056.patch
>
>
> To support the ability to use tokens regardless of whether kerberos is
> enabled, the NN's secret manager should always be started.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
