You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Larry McCay (JIRA)" <ji...@apache.org> on 2016/01/05 18:40:39 UTC

[jira] [Commented] (HADOOP-12563) Updated utility to create/modify token files

    [ https://issues.apache.org/jira/browse/HADOOP-12563?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15083440#comment-15083440 ] 

Larry McCay commented on HADOOP-12563:
--------------------------------------

I find this patch really interesting.

It touches on some of the pain points that I have been thinking about for some time.
I would like to see a bit more of the specific problems that are solved by this approach though.
The attached generalized_token_usecase doc is a good start but I would like to see the addressed problems enumerated.

I also wonder whether a token acquired through dtutil would be usable by services that can be configured to only accept this token as representation of the authentication event. Given some trust mechanism, such as SSL (even better 2 way SSL) we should be able to cryptographically verify and determine whether its issuer is from a trusted authority.

I'm also curious about the choice of protobuf for the token rather than JWT.
I'd like to understand the differences in portability that you see between the two.
JWT has become a very popular format for such things.

> Updated utility to create/modify token files
> --------------------------------------------
>
>                 Key: HADOOP-12563
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12563
>             Project: Hadoop Common
>          Issue Type: New Feature
>    Affects Versions: 3.0.0
>            Reporter: Allen Wittenauer
>            Assignee: Matthew Paduano
>         Attachments: HADOOP-12563.01.patch, HADOOP-12563.02.patch, HADOOP-12563.03.patch, HADOOP-12563.04.patch, HADOOP-12563.05.patch, HADOOP-12563.06.patch, example_dtutil_commands_and_output.txt, generalized_token_case.pdf
>
>
> hdfs fetchdt is missing some critical features and is geared almost exclusively towards HDFS operations.  Additionally, the token files that are created use Java serializations which are hard/impossible to deal with in other languages. It should be replaced with a better utility in common that can read/write protobuf-based token files, has enough flexibility to be used with other services, and offers key functionality such as append and rename. The old version file format should still be supported for backward compatibility, but will be effectively deprecated.
> A follow-on JIRA will deprecrate fetchdt.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)