hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mingliang Liu (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (HADOOP-12659) Incorrect usage of config parameters in token manager of KMS
Date Sat, 19 Dec 2015 02:57:46 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-12659?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mingliang Liu reassigned HADOOP-12659:
--------------------------------------

    Assignee: Mingliang Liu

> Incorrect usage of config parameters in token manager of KMS
> ------------------------------------------------------------
>
>                 Key: HADOOP-12659
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12659
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1, 2.6.2
>            Reporter: Tianyin Xu
>            Assignee: Mingliang Liu
>
> Hi, the usage of the following configs of Key Management Server (KMS) are problematic:

> {{hadoop.kms.authentication.delegation-token.renew-interval.sec}}
> {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}}
> The name indicates that the units are {{sec}}, and the online doc shows that the default
values are {{86400}} and {{3600}}, respectively.
> https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
> which is also defined in
> {code:title=DelegationTokenManager.java|borderStyle=solid}
>  55   public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec";
>  56   public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60;
>  ...
>  58   public static final String REMOVAL_SCAN_INTERVAL = PREFIX +
>  59       "removal-scan-interval.sec";
>  60   public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60;
> {code}
> However, in {{DelegationTokenManager.java}} and {{ZKDelegationTokenSecretManager.java}},
these two parameters are used incorrectly.
> 1. *{{DelegationTokenManager.java}}*
> {code}
>  70           conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000,
>  71           conf.getLong(REMOVAL_SCAN_INTERVAL, 
>  72               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
> {code}
> Apparently, at Line 72, {{REMOVAL_SCAN_INTERVAL}} should be used in the same way as {{RENEW_INTERVAL}},
like
> {code}
> 72c72
> <               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
> ---
> >               REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
> {code}
> Currently, the unit of {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}}
is not {{sec}} but {{millisec}}.
> 2. *{{ZKDelegationTokenSecretManager.java}}*
> {code}
> 142         conf.getLong(DelegationTokenManager.RENEW_INTERVAL,
> 143             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
> 144         conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL,
> 145             DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
> {code}
>  The situation is the opposite in this class that {{hadoop.kms.authentication.delegation-token.renew-interval.sec}}
is wrong but the other is correct...
> A patch should be like
> {code}
> 143c143
> <             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
> ---
> >             DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000,
> {code}
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message