accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-3890) Use of CredentialProvider results in a lot of NN ops
Date Mon, 08 Jun 2015 19:22:01 GMT


Josh Elser commented on ACCUMULO-3890:

bq. Granted the existing publicly available implementations are all based on something file-like.
But you never know what's coming in the future...and moving secrets into an external store
and hooking them up via the CredentialProvider is an appealing story.

I'm not sure if you're trying to be coy, but we can't really design for something we don't
know is coming. If you have something that we can keep in mind to avoid invalidating any changes
we make, please tell us now so we can fix this once.

bq. I had a peek at some of the latest CredentialProvider code; the getCredentialEntry() call
does have a cache, but I don't see any calls to actually populate that cache. Wonder what's
going on there; you might want to investigate that bit first.

Looking at branch-2.7, I still don't see anything that adds to that cache like you mentioned.
[~lmccay] do you know if it's a known issue that the JKS provider doesn't put elements into
the cache (or did we just miss how that happens)? If the cache isn't being used properly,
we should fix this in Hadoop (and maybe add a patch into Accumulo to prevent it from bashing
the NN to pieces on the broken versions).

> Use of CredentialProvider results in a lot of NN ops
> ----------------------------------------------------
>                 Key: ACCUMULO-3890
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>    Affects Versions: 1.6.1, 1.6.2, 1.7.0
>            Reporter: Billie Rinaldi
>            Assignee: Billie Rinaldi
>             Fix For: 1.6.3, 1.7.1, 1.8.0
> Every time we access a sensitive property or iterate over a configuration when there
is a CredentialProvider configured, it results in NN operations (as evidenced by FSNamesystem.audit
logs).  I think that we could assume the CredentialProvider is static, read its properties
once and cache them in memory to avoid these unnecessary reads.

This message was sent by Atlassian JIRA

View raw message