[jira] [Commented] (MAPREDUCE-3825) Need generalized multi-token filesystem support

Tue, 07 Feb 2012 16:37:25 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13203034#comment-13203034
 ] 

Daryn Sharp commented on MAPREDUCE-3825:
----------------------------------------

(sorry, have to leave for the day)

Yes, there no question there is multi-token support, but the way it integrates 
with the TokenCache is broken.  The TokenCache expects a 1 to 1 mapping between 
the canonical service name and the filesystem's delegation token service.  This 
is because TokenCache uses the canonical service as a key in its credentials.  
It doesn't work correctly for multi-token filesystems, or filtered filesystems 
using a different scheme than the underlying fs.  It's wrong, but it's what 
we've got to work with.  Eventually the token cache should have no knowledge 
about the canonical service at all.

I agree the TokenCache does need an overhaul.  If it wasn't for the block of 
code that tries to load the binary token cache if a token is missing, then with 
the changes in common the whole method collapses into calling 
getDelegationTokens on the filesystems.  However, I'm paranoid of altering the 
behavior of the TokenCache in 23, so I created a backwards compatible solution 
that works perfectly with the way FileSystem tokens are currently designed.

                
> Need generalized multi-token filesystem support
> -----------------------------------------------
>
>                 Key: MAPREDUCE-3825
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3825
>             Project: Hadoop Map/Reduce
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.1, 0.24.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> This is the counterpart to HADOOP-7967.  The token cache currently tries to 
> assume a filesystem's token service key.  The assumption generally worked 
> while there was a one to one mapping of filesystem to token.  With the advent 
> of multi-token filesystems like viewfs, the token cache will try to use a 
> service key (ie. for viewfs) that will never exist (because it really gets 
> the mounted fs tokens).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to