Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 96743200B4A for ; Wed, 20 Jul 2016 23:49:22 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 951AE160A86; Wed, 20 Jul 2016 21:49:22 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E4419160A64 for ; Wed, 20 Jul 2016 23:49:21 +0200 (CEST) Received: (qmail 1935 invoked by uid 500); 20 Jul 2016 21:49:21 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 1597 invoked by uid 99); 20 Jul 2016 21:49:20 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Jul 2016 21:49:20 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D5E502C029E for ; Wed, 20 Jul 2016 21:49:20 +0000 (UTC) Date: Wed, 20 Jul 2016 21:49:20 +0000 (UTC) From: "Zhe Zhang (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-13206) Delegation token cannot be fetched and used by different versions of client MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 20 Jul 2016 21:49:22 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15386692#comment-15386692 ] Zhe Zhang commented on HADOOP-13206: ------------------------------------ Thanks much for the suggestion [~cnauroth]. Although in our case the issue happened with 2.6 and 2.3 clients, now I think it can happen with the same version of client for 2 reasons. Let's assume there are client {{A}}, which fetches tokens, and client {{B}}, which uses tokens. # Client {{A}} and client {{B}} could use different values of {{hadoop.security.token.service.use_ip}}. Should we treat this as a mis-configuration and enforce the same value across any entire production environment? # Client {{A}}, when fetching the token, could use numerical IP address to refer to the NameNode, such as {{webhdfs://123.45.67.89:50070}}. Client {{B}}, when using the token, could use a logical URI {{webhdfs://clusterNN}}. Good point about DNS overhead. How about we update the patch and only do the newly added check if one URI is logical and the other is not? > Delegation token cannot be fetched and used by different versions of client > --------------------------------------------------------------------------- > > Key: HADOOP-13206 > URL: https://issues.apache.org/jira/browse/HADOOP-13206 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.3.0, 2.6.1 > Reporter: Zhe Zhang > Assignee: Zhe Zhang > Attachments: HADOOP-13206.00.patch, HADOOP-13206.01.patch, HADOOP-13206.02.patch > > > We have observed that an HDFS delegation token fetched by a 2.3.0 client cannot be used by a 2.6.1 client, and vice versa. Through some debugging I found that it's a mismatch between the token's {{service}} and the {{service}} of the filesystem (e.g. {{webhdfs://host.something.com:50070/}}). One would be in numerical IP address and one would be in non-numerical hostname format. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org