You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Daryn Sharp (JIRA)" <ji...@apache.org> on 2012/10/23 16:25:11 UTC

[jira] [Created] (HADOOP-8965) Allow client to specify internal authentication

Daryn Sharp created HADOOP-8965:
-----------------------------------

             Summary: Allow client to specify internal authentication
                 Key: HADOOP-8965
                 URL: https://issues.apache.org/jira/browse/HADOOP-8965
             Project: Hadoop Common
          Issue Type: Sub-task
          Components: ipc
    Affects Versions: 2.0.0-alpha, 0.23.0, 1.0.0, 3.0.0
            Reporter: Daryn Sharp
            Assignee: Daryn Sharp


The RPC client currently uses a token if present, else it falls back to authentication.  This creates an ambiguity in the client if SIMPLE auth is allowed to use tokens.  A task will continue to run if the task loses its tokens because it will fallback to SIMPLE auth - this would be a bug.  There should be a means to specify that tasks must use tokens to avoid the ambiguity.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-8965) Allow client to specify internal authentication

Posted by "Kan Zhang (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-8965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13482794#comment-13482794 ] 

Kan Zhang commented on HADOOP-8965:
-----------------------------------

I haven't looked closely, but I think we can add a field to ConnectionId object to specify the type of connection the RPC client should create (initial, subsequent, or any). This combined with config options for initial and subsequent auth methods, respectively, should decide what auth method(s) the RPC client should use to make the connection.
                
> Allow client to specify internal authentication
> -----------------------------------------------
>
>                 Key: HADOOP-8965
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8965
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 1.0.0, 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> The RPC client currently uses a token if present, else it falls back to authentication.  This creates an ambiguity in the client if SIMPLE auth is allowed to use tokens.  A task will continue to run if the task loses its tokens because it will fallback to SIMPLE auth - this would be a bug.  There should be a means to specify that tasks must use tokens to avoid the ambiguity.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (HADOOP-8965) Allow client to specify internal authentication

Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/HADOOP-8965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13483249#comment-13483249 ] 

Daryn Sharp commented on HADOOP-8965:
-------------------------------------

I prepared a patch for this change yesterday, but was waiting for HDFS-4056 to be approved before I wrote a bunch of tests.

The general gist is a config key to specify if clients may authenticate.  By default the value is true.  After the job client acquired tokens, it flipped the value to false.  The RPC client used this value to determine how to authenticate.  If the value is false, the RPC client would throw an exception if a token is not a available.  This would cause tasks in SIMPLE mode to fail when lacking a token, and would throw a user decipherable exception when using KERBEROS with no TGT or token.

I'll post but not submit the example patch, and then reconcile it with the issues cited here and in HDFS-4056.
                
> Allow client to specify internal authentication
> -----------------------------------------------
>
>                 Key: HADOOP-8965
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8965
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 1.0.0, 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>
> The RPC client currently uses a token if present, else it falls back to authentication.  This creates an ambiguity in the client if SIMPLE auth is allowed to use tokens.  A task will continue to run if the task loses its tokens because it will fallback to SIMPLE auth - this would be a bug.  There should be a means to specify that tasks must use tokens to avoid the ambiguity.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (HADOOP-8965) Allow client to specify internal authentication

Posted by "Daryn Sharp (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/HADOOP-8965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Daryn Sharp updated HADOOP-8965:
--------------------------------

    Attachment: HADOOP-8965.example.patch

Barebones patch to demonstrate possible ipc client changes to force use of tokens in SIMPLE auth.

In conjunction with HDFS-4056, I'll add another conditional for whether to look for tokens.
                
> Allow client to specify internal authentication
> -----------------------------------------------
>
>                 Key: HADOOP-8965
>                 URL: https://issues.apache.org/jira/browse/HADOOP-8965
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: ipc
>    Affects Versions: 1.0.0, 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>         Attachments: HADOOP-8965.example.patch
>
>
> The RPC client currently uses a token if present, else it falls back to authentication.  This creates an ambiguity in the client if SIMPLE auth is allowed to use tokens.  A task will continue to run if the task loses its tokens because it will fallback to SIMPLE auth - this would be a bug.  There should be a means to specify that tasks must use tokens to avoid the ambiguity.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira