Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E312B200B28 for ; Sun, 12 Jun 2016 03:26:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E1C5B160A54; Sun, 12 Jun 2016 01:26:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 341C3160A34 for ; Sun, 12 Jun 2016 03:26:22 +0200 (CEST) Received: (qmail 77132 invoked by uid 500); 12 Jun 2016 01:26:21 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 77064 invoked by uid 99); 12 Jun 2016 01:26:21 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 12 Jun 2016 01:26:21 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id E8BDD2C1F54 for ; Sun, 12 Jun 2016 01:26:20 +0000 (UTC) Date: Sun, 12 Jun 2016 01:26:20 +0000 (UTC) From: "Xiaoyu Yao (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (HADOOP-13255) KMSClientProvider should check and renew tgt when doing delegation token operations. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sun, 12 Jun 2016 01:26:23 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15326123#comment-15326123 ] Xiaoyu Yao edited comment on HADOOP-13255 at 6/12/16 1:26 AM: -------------------------------------------------------------- Thanks [~xiaochen] for working on this and [~zhz] for the review. I would suggest we fix with the approach in v1 patch. 1. V1 patch is correct and less risky. All the change is localized to KMSCientProvider compared with broader change in DelegationTokenAuthenticator or KerberosAuthenticator. 2. V2 patch below won't be able to handle the proxy user and token user cases as the currentUGI is not sufficient for these cases. There are a few fixes around KMSClientProvider#actualUGI to make this right. You can refer to how actualUGI is initialized in KMSClientProvider#KMSClientProvider(). {code} UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); {code} was (Author: xyao): Thanks [~xiaochen] for working on this and [~zhz] for the review. I would suggest we fix with the approach in v1 patch. 1. V1 patch is less ricky. All the change is localized to KMSCientProvider compared with broader change in DelegationTokenAuthenticator or KerberosAuthenticator. 2. V2 patch below won't be able to handle the proxy user and token user cases as the currentUGI is not sufficient for these cases. There are a few fixes around KMSClientProvider#actualUGI to make this right. You can refer to how actualUGI is initialized in KMSClientProvider#KMSClientProvider(). {code} UserGroupInformation.getCurrentUser().checkTGTAndReloginFromKeytab(); {code} > KMSClientProvider should check and renew tgt when doing delegation token operations. > ------------------------------------------------------------------------------------ > > Key: HADOOP-13255 > URL: https://issues.apache.org/jira/browse/HADOOP-13255 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Reporter: Xiao Chen > Assignee: Xiao Chen > Attachments: HADOOP-13255.01.patch, HADOOP-13255.02.patch > > -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org