Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 8285A200B4A for ; Wed, 20 Jul 2016 22:27:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 81124160A5B; Wed, 20 Jul 2016 20:27:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D0219160A86 for ; Wed, 20 Jul 2016 22:27:21 +0200 (CEST) Received: (qmail 19590 invoked by uid 500); 20 Jul 2016 20:27:21 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 19384 invoked by uid 99); 20 Jul 2016 20:27:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Jul 2016 20:27:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id C8D5D2C0D62 for ; Wed, 20 Jul 2016 20:27:20 +0000 (UTC) Date: Wed, 20 Jul 2016 20:27:20 +0000 (UTC) From: "Chris Nauroth (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-13206) Delegation token cannot be fetched and used by different versions of client MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 20 Jul 2016 20:27:22 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15386562#comment-15386562 ] Chris Nauroth commented on HADOOP-13206: ---------------------------------------- Hello [~zhz]. You might also be interested in HADOOP-12954 and MAPREDUCE-6565, which discuss a few more wrinkles with {{hadoop.security.token.service.use_ip}}. I see a potential problem in the proposed patch. The point of using IP address in the delegation token service was to prevent unnecessary repeated DNS lookups. The proposed patch would result in re-introducing some of those lookups in the fallback case when the service doesn't match. If we consider a scenario with a client holding delegation tokens for multiple clusters, such as a cross-cluster DistCp, then we definitely would re-resolve DNS lookups a few times. I see you did some investigation into why the 2.3.0 client produce an IP address and later versions don't. Do you think this is simply a bug in 2.3.0, which has been subsequently fixed (perhaps unintentionally)? IOW, do you think it's appropriate to resolve this with no action, rather than commit a patch that introduces potential performance problems, only to work around buggy behavior in an older client version? > Delegation token cannot be fetched and used by different versions of client > --------------------------------------------------------------------------- > > Key: HADOOP-13206 > URL: https://issues.apache.org/jira/browse/HADOOP-13206 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.3.0, 2.6.1 > Reporter: Zhe Zhang > Assignee: Zhe Zhang > Attachments: HADOOP-13206.00.patch, HADOOP-13206.01.patch, HADOOP-13206.02.patch > > > We have observed that an HDFS delegation token fetched by a 2.3.0 client cannot be used by a 2.6.1 client, and vice versa. Through some debugging I found that it's a mismatch between the token's {{service}} and the {{service}} of the filesystem (e.g. {{webhdfs://host.something.com:50070/}}). One would be in numerical IP address and one would be in non-numerical hostname format. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org