accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-3890) Use of CredentialProvider results in a lot of NN ops
Date Fri, 05 Jun 2015 17:28:00 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-3890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14574881#comment-14574881
] 

Josh Elser commented on ACCUMULO-3890:
--------------------------------------

bq. does that happen for all CredentialProviders or just the demo java keystore-on-hdfs one?

Well, you're only going to incur a lot of NN ops when the CP is stored on HDFS :). In general,
I didn't add any caching to reading from the CPs when I added this support.

bq. how do we figure out when things have changed? i.e. for those that are using non-trivial
credential providers where sensitive properties might be updated as a part of a security incident,
are we going to require a cluster restart?

IMO, CPs should be treated like a static resource, same as accumulo-site.xml. Users should
still be able to override the value in ZK (when the property itself allows it: replication
user password and trace user password come to mind). Assuming I did that right too :)

> Use of CredentialProvider results in a lot of NN ops
> ----------------------------------------------------
>
>                 Key: ACCUMULO-3890
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3890
>             Project: Accumulo
>          Issue Type: Bug
>    Affects Versions: 1.6.1, 1.6.2, 1.7.0
>            Reporter: Billie Rinaldi
>            Assignee: Billie Rinaldi
>             Fix For: 1.7.1, 1.8.0
>
>
> Every time we access a sensitive property or iterate over a configuration when there
is a CredentialProvider configured, it results in NN operations (as evidenced by FSNamesystem.audit
logs).  I think that we could assume the CredentialProvider is static, read its properties
once and cache them in memory to avoid these unnecessary reads.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message