Description
I talked to devaraj today about MapReduce support running on secure Hadoop to help get a picture about what extra might be needed to make this work.
Generally, in Hadoop and HBase, the client must have valid credentials to submit a job, then the notion of delegation tokens is used by for further communication since the servers do not have access to the client's sensitive information. A centralized service manages creation of a delegation token which is a record which contains certain information (such as the submitting user name) necessary to securely identify the holder of the delegation token.
The general idea is that we would need to build support into the master to manage delegation tokens to node managers to acquire and use to run jobs. Hadoop and HBase both contain code which implements this general idea, but we will need to apply them Accumulo and verify that it is M/R jobs still work on a kerberized environment.
Attachments
Attachments
Issue Links
- breaks
-
ACCUMULO-3612 PermissionsIT broken after OBTAIN_DELEGATION_TOKEN permission was added
- Resolved
- is related to
-
ACCUMULO-3713 Remove unused TDelegationTokenOptions
- Resolved
- links to