Support Questions
Find answers, ask questions, and share your expertise

delegation token and block token question

Solved Go to solution

delegation token and block token question

Explorer

As far as I know after kerberos authentication is established, we can get delegation token and even if we kdestroy the tickets, we can still access using delegation token. Is delegation token part of kerberos or just depend on kereberos? Is it just a separate pacakge?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: delegation token and block token question

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

4 REPLIES 4
Highlighted

Re: delegation token and block token question

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

Highlighted

Re: delegation token and block token question

@Mokkan Mok

Yes, Namenode gives the delegation token. Command line tool is:

# hdfs fetchdt

More on it here:

https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html#fetchdt

Note: If you are satisfied with the answer, please take a moment to login and click the "accept" link on the answer.

Highlighted

Re: delegation token and block token question

Explorer

Thanks a lot for giving great explanation. Just a last question, delegation token is given by NN, from NN what package or what tool provides the delegation token. Is it part of namenode package?

Highlighted

Re: delegation token and block token question

Explorer

Thanks a lot.