hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Nauroth (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13206) Delegation token cannot be fetched and used by different versions of client
Date Wed, 20 Jul 2016 20:27:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15386562#comment-15386562

Chris Nauroth commented on HADOOP-13206:

Hello [~zhz].  You might also be interested in HADOOP-12954 and MAPREDUCE-6565, which discuss
a few more wrinkles with {{hadoop.security.token.service.use_ip}}.

I see a potential problem in the proposed patch.  The point of using IP address in the delegation
token service was to prevent unnecessary repeated DNS lookups.  The proposed patch would result
in re-introducing some of those lookups in the fallback case when the service doesn't match.
 If we consider a scenario with a client holding delegation tokens for multiple clusters,
such as a cross-cluster DistCp, then we definitely would re-resolve DNS lookups a few times.

I see you did some investigation into why the 2.3.0 client produce an IP address and later
versions don't.  Do you think this is simply a bug in 2.3.0, which has been subsequently fixed
(perhaps unintentionally)?  IOW, do you think it's appropriate to resolve this with no action,
rather than commit a patch that introduces potential performance problems, only to work around
buggy behavior in an older client version?

> Delegation token cannot be fetched and used by different versions of client
> ---------------------------------------------------------------------------
>                 Key: HADOOP-13206
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13206
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0, 2.6.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>         Attachments: HADOOP-13206.00.patch, HADOOP-13206.01.patch, HADOOP-13206.02.patch
> We have observed that an HDFS delegation token fetched by a 2.3.0 client cannot be used
by a 2.6.1 client, and vice versa. Through some debugging I found that it's a mismatch between
the token's {{service}} and the {{service}} of the filesystem (e.g. {{webhdfs://host.something.com:50070/}}).
One would be in numerical IP address and one would be in non-numerical hostname format.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message