hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token
Date Tue, 21 Jun 2016 00:05:57 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Xiao Chen updated HADOOP-13251:
-------------------------------
    Attachment: HADOOP-13251.04.patch

Further to an offline talk with ATM, I learnt that due to the security sensitiveness of delegation
tokens, DT ops should require more secure authentication (i.e. must not be allowed using DT
auth).
So, I think we should:
- Revert HADOOP-13228, which is based on my wrong understanding.
- Continue of the right fix for this. Attached patch 4 (unit test passes after reverting HADOOP-13228)
- File a new jira to fix existing add/renew behavior to disallow using a DT.

[~atm] and [~andrew.wang],
Could you please take a look and share your thoughts? Thanks a lot.

> DelegationTokenAuthenticationHandler should detect actual renewer when renew token
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13251
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13251
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, HADOOP-13251.03.patch,
HADOOP-13251.04.patch, HADOOP-13251.innocent.patch
>
>
> Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with
client side impersonation.
> In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and
pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the
MR jobs are running. But currently, the token is used at the kms server side to decide the
renewer, in which case is always the token's owner. This ends up rejecting the renew request
due to renewer mismatch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message