Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

delegation token and block token question

avatar
Explorer

As far as I know after kerberos authentication is established, we can get delegation token and even if we kdestroy the tickets, we can still access using delegation token. Is delegation token part of kerberos or just depend on kereberos? Is it just a separate pacakge?

1 ACCEPTED SOLUTION

avatar

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

4 REPLIES 4

avatar

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar

@Mokkan Mok

Yes, Namenode gives the delegation token. Command line tool is:

# hdfs fetchdt

More on it here:

https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html#fetchdt

Note: If you are satisfied with the answer, please take a moment to login and click the "accept" link on the answer.

avatar
Explorer

Thanks a lot for giving great explanation. Just a last question, delegation token is given by NN, from NN what package or what tool provides the delegation token. Is it part of namenode package?

avatar
Explorer

Thanks a lot.