[jira] [Commented] (HDFS-4056) Always start the NN's SecretManager

Thu, 01 Nov 2012 06:51:15 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-4056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13488698#comment-13488698
 ] 

Daryn Sharp commented on HDFS-4056:
-----------------------------------

bq. {quote}Yes, it should work if you fetch the token yourself.{quote}
bq. As far as I know, that is not by design.

Do you believe this is an illegitimate use case?  Should you not be allowed to 
talk to clusters of various auth types if you have used (in some way) the 
appropriate credentials to get a token?

bq. Suppose some clients are configured to use tokens, some don't. How do you 
make sure they did what they are supposed to do? Or you don't care? If a client 
happens to use a Hadoop conf that says "use tokens", it will fetch and use 
them; otherwise, it won't. Either way it works.

For the sake of this jira, yes, I don't care whether the client gets a token in 
SIMPLE mode.  There's another subtask for determining whether the client/task 
should be forced to use tokens.  I posted an example, but will be revising it 
based on offline feedback from Owen.

I'm trying to implement this improvement in small incremental steps.  This 
patch alone does not cause a change in behavior for clients on insecure 
clusters.  I think the debate over whether insecure clients obtain tokens is 
more appropriately debated on the other subtasks.  Would you please be willing 
to lift your veto on this jira?  At least to a -0?
                
> Always start the NN's SecretManager
> -----------------------------------
>
>                 Key: HDFS-4056
>                 URL: https://issues.apache.org/jira/browse/HDFS-4056
>             Project: Hadoop HDFS
>          Issue Type: Improvement
>          Components: name-node
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HDFS-4056.patch
>
>
> To support the ability to use tokens regardless of whether kerberos is 
> enabled, the NN's secret manager should always be started.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to