You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Vinod Kumar Vavilapalli (JIRA)" <ji...@apache.org> on 2016/08/22 20:01:20 UTC

[jira] [Updated] (HADOOP-10776) Open up Delegation token fetching and renewal to STORM (Possibly others)

     [ https://issues.apache.org/jira/browse/HADOOP-10776?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vinod Kumar Vavilapalli updated HADOOP-10776:
---------------------------------------------
    Attachment: HADOOP-10776-20160822.txt

Taking a quick crack at making some of the already very widely used security related class public.

The patch makes the following public
 - Classes: AccessControlException, Credentials, UserGroupInformation, AuthorizationException, Token.TrivialRenewer, AbstractDelegationTokenIdentifier, AbstractDelegationTokenSecretManager
 - Methods: FileSystem.getCanonicalServiceName(), FileSystem.addDelegationTokens()

Couple of general notes
 - I'd like to skip the evolving vs public discussion for now and focus only on visibility - so I just marked everything evolving.
 - I did a quick search and obviously there are a lot more classes that need more careful thinking. Unless I've missed some of the very obvious ones, I'd like to make progress on getting the current ones done first.

[~revans2], [~cnauroth], [~arpitagarwal], can one or more of you quickly look at this? Shouldn't take more than 5-10 minutes.

> Open up Delegation token fetching and renewal to STORM (Possibly others)
> ------------------------------------------------------------------------
>
>                 Key: HADOOP-10776
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10776
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Robert Joseph Evans
>            Priority: Blocker
>         Attachments: HADOOP-10776-20160822.txt
>
>
> Storm would like to be able to fetch delegation tokens and forward them on to running topologies so that they can access HDFS (STORM-346).  But to do so we need to open up access to some of APIs. 
> Most notably FileSystem.addDelegationTokens(), Token.renew, Credentials.getAllTokens, and UserGroupInformation but there may be others.
> At a minimum adding in storm to the list of allowed API users. But ideally making them public. Restricting access to such important functionality to just MR really makes secure HDFS inaccessible to anything except MR, or tools that reuse MR input formats.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org