[
https://issues.apache.org/jira/browse/HDFS-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13488141#comment-13488141
]
Kan Zhang commented on HDFS-4056:
---------------------------------
bq. ... there is no harm in having the secret manager running if a client using
SIMPLE auth choses to use tokens.
That would be very confusing and I certainly don't want to see it happen in my
production cluster. I may configure a cluster to use either SIMPLE + SIMPLE or
SIMPLE + TOKEN for different purposes, but I don't see why I want to mix them
up, especially at production (there is no security benefit, only overhead).
bq. I don't understand this objection. If a token is available, why not use it?
If the conf says SIMPLE + SIMPLE, then even if a token is present, it shouldn't
be used. That token may be from a stale token file. RPC Client shouldn't even
waste its time looking for tokens.
bq. If a cluster not using tokens wants to talk to a cluster requiring tokens,
then doesn't it have to send the token regardless of the local config?
That's a different issue. I'm not sure we support an insecure cluster to talk
to a secure one right now. Is that your goal?
> Always start the NN's SecretManager
> -----------------------------------
>
> Key: HDFS-4056
> URL: https://issues.apache.org/jira/browse/HDFS-4056
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: name-node
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Attachments: HDFS-4056.patch
>
>
> To support the ability to use tokens regardless of whether kerberos is
> enabled, the NN's secret manager should always be started.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
