Delegation tokens

LogoHadoop Delegation Tokens Explained | Blog | ClouderaCloudera

Thus Delegation Tokens were introduced as a lightweight authentication method to complement Kerberos authentication. Kerberos is a three-party protocol; in contrast, Delegation Token authentication is a two-party authentication protocol.

The way Delegation Tokens works is:

  1. The client initially authenticates with each server via Kerberos, and obtains a Delegation Token from that server.

  2. The client uses the Delegation Tokens for subsequent authentications with the servers instead of using Kerberos.

Token's structure

Kind
The kind of token (HDFS_DELEGATION_TOKEN, or kms-dt). The token also contains the kind, matching the identifier’s kind.

Owner

The user who owns the token.

Renewer

The user who can renew the token.

Real User

Only relevant if the owner is impersonated. If the token is created by an impersonating user, this will identify the impersonating user. For example, when oozie impersonates user joe, Owner will be joe and Real User will be oozie.

Issue Date

Epoch time when the token was issued.

Max Date

Epoch time when the token can be renewed until.

Sequence Number

UUID to identify the token.

Master Key ID

ID of the master key used to create and verify the token.

Table 1: Token Identifier (public part of a Delegation Token)

The private information is represented by class DelegationTokenInformation in AbstractDelegationTokenSecretManager, it is critical for security and contains the following fields:

renewDate

Epoch time when the token is expected to be renewed. If it’s smaller than the current time, it means the token has expired.

password

The password calculated as HMAC of Token Identifier using master key as the HMAC key. It’s used to validate the Delegation Token provided by the client to the server.

trackingId

A tracking identifier that can be used to associate usages of a token across multiple client sessions. It is computed as the MD5 of the token identifier.

Table 2: Delegation Token Information (private part of a Delegation Token)

The client-side-visible Token class is defined here. The following table describes what’s contained in the Token.

identifier
The token identifier matching the public information part at the server side.

password

The password matching the password at the server side.

kind

The kind of token (e.g. HDFS_DELEGATION_TOKEN, or kms-dt), it matches the identifier’s kind.

service

The name of the service (e.g. ha-hdfs:<nameservice-name> for HDFS, <ip_address>:<port> for KMS).

renewer

The user who can renew the token (e.g. yarn).

Table 3: Delegation Token at Client Side

PreviousZookeeperNextHive2

Last updated