You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2017/12/15 19:09:00 UTC

[jira] [Updated] (HADOOP-14556) S3A to support Delegation Tokens

     [ https://issues.apache.org/jira/browse/HADOOP-14556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steve Loughran updated HADOOP-14556:
------------------------------------
    Attachment: HADOOP-14556-002.patch

Patch 002; in sync with trunk. FileContext tests still failing, as paths returned in getFileStatus/list, etc, don't include the port, that is: they don't have the same URI as the canonical name.

Daryn, if yo've got your patch ready, I'd like to see it to see how we can merge things. 

For this DT I want to 
* add: encryption settings,
* forward session credentials
* pick up env vars and use them if present. Gives you automatic marshalling. Issue: risk of fun with spark here, as it propagates the env vars already. These DTs would take priority for the specific FSs DTs get picked up for. I guess we can conclude that if you enable DTs, you want it
* support assumed roles, so that the client will talk to STS to assume a role before creating the client, and use that for local s3, DDB access, and pass in as the DT credentials

> S3A to support Delegation Tokens
> --------------------------------
>
>                 Key: HADOOP-14556
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14556
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: fs/s3
>    Affects Versions: 2.8.1
>            Reporter: Steve Loughran
>         Attachments: HADOOP-14556-001.patch, HADOOP-14556-002.patch
>
>
> S3A to support delegation tokens where
> * an authenticated client can request a token via {{FileSystem.getDelegationToken()}}
> * Amazon's token service is used to request short-lived session secret & id; these will be saved in the token and  marshalled with jobs
> * A new authentication provider will look for a token for the current user and authenticate the user if found
> This will not support renewals; the lifespan of a token will be limited to the initial duration. Also, as you can't request an STS token from a temporary session, IAM instances won't be able to issue tokens.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org