Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

delegation token and block token question

Labels:
avatar
author-rank mokkan
Explorer

Created on ‎05-24-2018 02:07 PM - edited ‎09-16-2022 06:16 AM

As far as I know after kerberos authentication is established, we can get delegation token and even if we kdestroy the tickets, we can still access using delegation token. Is delegation token part of kerberos or just depend on kereberos? Is it just a separate pacakge?

2,920 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank falbani author-rank
Guru

Created ‎05-24-2018 02:20 PM

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

2,864 Views
0 Kudos
4 REPLIES 4

avatar
author-rank falbani author-rank
Guru

Created ‎05-24-2018 02:20 PM

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

2,865 Views
0 Kudos

avatar
author-rank falbani author-rank
Guru

Created ‎05-24-2018 02:33 PM

@Mokkan Mok

Yes, Namenode gives the delegation token. Command line tool is:

# hdfs fetchdt

More on it here:

https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html#fetchdt

Note: If you are satisfied with the answer, please take a moment to login and click the "accept" link on the answer.

2,864 Views
0 Kudos

avatar
author-rank mokkan
Explorer

Created ‎05-24-2018 02:31 PM

Thanks a lot for giving great explanation. Just a last question, delegation token is given by NN, from NN what package or what tool provides the delegation token. Is it part of namenode package?

2,864 Views
0 Kudos

avatar
author-rank mokkan
Explorer

Created ‎05-24-2018 02:39 PM

Thanks a lot.

2,864 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements