Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

delegation token and block token question

Labels:
avatar
author-rank mokkan
Explorer

Created on ‎05-24-2018 02:07 PM - edited ‎09-16-2022 06:16 AM

As far as I know after kerberos authentication is established, we can get delegation token and even if we kdestroy the tickets, we can still access using delegation token. Is delegation token part of kerberos or just depend on kereberos? Is it just a separate pacakge?

3,218 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank falbani author-rank
Guru

Created ‎05-24-2018 02:20 PM

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

3,162 Views
0 Kudos
0
4 REPLIES 4

avatar
author-rank falbani author-rank
Guru

Created ‎05-24-2018 02:20 PM

@Mokkan Mok

1. We can get delegation token and even if we kdestroy the tickets, we can still access using delegation token?

Yes, the following hc link shows exactly this with an example

https://community.hortonworks.com/articles/50069/demystifying-delegation-token.html

2. Is delegation token part of kerberos or just depend on kereberos?

Delegation token is not part of kerberos. But in order to get a delegation token you need to have a valid kerberos token.

3. Is it just a separate package?

Each hadooop service like HDFS, YARN, HIVE, HBASE client api provides a way to fetch delegation tokens. Each delagation token has expiration and max issue date. As long as is valid clients can use the delegation token to authenticate with the service.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

3,163 Views
0 Kudos
0

avatar
author-rank falbani author-rank
Guru

Created ‎05-24-2018 02:33 PM

@Mokkan Mok

Yes, Namenode gives the delegation token. Command line tool is:

# hdfs fetchdt

More on it here:

https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-hdfs/HdfsUserGuide.html#fetchdt

Note: If you are satisfied with the answer, please take a moment to login and click the "accept" link on the answer.

3,162 Views
0 Kudos

avatar
author-rank mokkan
Explorer

Created ‎05-24-2018 02:31 PM

Thanks a lot for giving great explanation. Just a last question, delegation token is given by NN, from NN what package or what tool provides the delegation token. Is it part of namenode package?

3,162 Views
0 Kudos

avatar
author-rank mokkan
Explorer

Created ‎05-24-2018 02:39 PM

Thanks a lot.

3,162 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements