[jira] [Commented] (HDFS-4056) Always start the NN's SecretManager

Mon, 22 Oct 2012 16:16:15 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13481913#comment-13481913
 ] 

Daryn Sharp commented on HDFS-4056:
-----------------------------------

bq. {quote}The NN does not allow a UGI auth of token to issue, renew, or cancel 
tokens.{quote}
bq.  Since only connections authenticated using the initial auth method(s) are 
allowed to fetch tokens (I assume we keep that behavior) [...]

Yes, that behavior has not changed.

bq.  [...] the server needs to be able to make a determination on whether a 
connection is authenticated as an initial connection or a subsequent one. 

I completely understand the point you are trying to make here.  With a secure 
cluster, a task (subsequent connection) must use DIGEST-MD5 with a token, else 
it will fail because it lacks a TGT for KERBEROS.  The distinction between 
initial and subsequent connection is unambiguous based on KERBEROS/DIGEST-MD5.  
That distinction will hold true for <ANY-AUTH-BUT-SIMPLE>/DIGEST-MD5.

bq. I don't see a use case where SIMPLE + SIMPLE and SIMPLE + TOKEN need to be 
enabled simultaneously

SIMPLE is a special case where it's ambiguous if its an initial or subsequent 
connection.  The server has no way to know, so it's up to the client to "do the 
right thing".  This is where a conf setting, that the job submitter adds, would 
instruct the RPC client to only use tokens which would enforce SIMPLE + TOKEN.

bq. it is desirable to be able to turn off any token related stuff (we can do 
that today)

In the absence of a new config key, the ambiguity introduced by SIMPLE 
effectively allows token-free operation.
                
> Always start the NN's SecretManager
> -----------------------------------
>
>                 Key: HDFS-4056
>                 URL: https://issues.apache.org/jira/browse/HDFS-4056
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: name-node
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HDFS-4056.patch
>
>
> To support the ability to use tokens regardless of whether kerberos is 
> enabled, the NN's secret manager should always be started.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to