Return-Path: X-Original-To: apmail-accumulo-notifications-archive@minotaur.apache.org Delivered-To: apmail-accumulo-notifications-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DCFC018A01 for ; Fri, 5 Jun 2015 17:28:00 +0000 (UTC) Received: (qmail 20159 invoked by uid 500); 5 Jun 2015 17:28:00 -0000 Delivered-To: apmail-accumulo-notifications-archive@accumulo.apache.org Received: (qmail 20123 invoked by uid 500); 5 Jun 2015 17:28:00 -0000 Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jira@apache.org Delivered-To: mailing list notifications@accumulo.apache.org Received: (qmail 20101 invoked by uid 99); 5 Jun 2015 17:28:00 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Jun 2015 17:28:00 +0000 Date: Fri, 5 Jun 2015 17:28:00 +0000 (UTC) From: "Josh Elser (JIRA)" To: notifications@accumulo.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ACCUMULO-3890) Use of CredentialProvider results in a lot of NN ops MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ACCUMULO-3890?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14574881#comment-14574881 ] Josh Elser commented on ACCUMULO-3890: -------------------------------------- bq. does that happen for all CredentialProviders or just the demo java keystore-on-hdfs one? Well, you're only going to incur a lot of NN ops when the CP is stored on HDFS :). In general, I didn't add any caching to reading from the CPs when I added this support. bq. how do we figure out when things have changed? i.e. for those that are using non-trivial credential providers where sensitive properties might be updated as a part of a security incident, are we going to require a cluster restart? IMO, CPs should be treated like a static resource, same as accumulo-site.xml. Users should still be able to override the value in ZK (when the property itself allows it: replication user password and trace user password come to mind). Assuming I did that right too :) > Use of CredentialProvider results in a lot of NN ops > ---------------------------------------------------- > > Key: ACCUMULO-3890 > URL: https://issues.apache.org/jira/browse/ACCUMULO-3890 > Project: Accumulo > Issue Type: Bug > Affects Versions: 1.6.1, 1.6.2, 1.7.0 > Reporter: Billie Rinaldi > Assignee: Billie Rinaldi > Fix For: 1.7.1, 1.8.0 > > > Every time we access a sensitive property or iterate over a configuration when there is a CredentialProvider configured, it results in NN operations (as evidenced by FSNamesystem.audit logs). I think that we could assume the CredentialProvider is static, read its properties once and cache them in memory to avoid these unnecessary reads. -- This message was sent by Atlassian JIRA (v6.3.4#6332)