hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13487) Hadoop KMS should load old delegation tokens from Zookeeper on startup
Date Mon, 22 Aug 2016 20:26:21 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15431545#comment-15431545

Xiao Chen commented on HADOOP-13487:

Hi [~axenol],
Yes, the workflow works, because after restart, although the secret manager doesn't have the
token in cache ({{currentTokens}}, it will fall back to read from zk. ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/ZKDelegationTokenSecretManager.java#L616]).

The problem is, the token removal thread is only checking the in-memory cache. So if there's
an old token in ZK and nobody is using it, it will not be loaded to {{currentTokens}} for
the removal thread to process. 

Also, since we're already loading {{PathChildrenCache}} for tokens and master keys at startup,
I think syncing the in-memory cache is the right thing to do.

> Hadoop KMS should load old delegation tokens from Zookeeper on startup
> ----------------------------------------------------------------------
>                 Key: HADOOP-13487
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13487
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: Alex Ivanov
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13487.01.patch, HADOOP-13487.02.patch, HADOOP-13487.03.patch,
> Configuration:
> CDH 5.5.1 (Hadoop 2.6+)
> KMS configured to store delegation tokens in Zookeeper
> DEBUG logging enabled in /etc/hadoop-kms/conf/kms-log4j.properties
> Findings:
> It seems to me delegation tokens never get cleaned up from Zookeeper past their renewal
date. I can see in the logs that the removal thread is started with the expected interval:
> {code}
> 2016-08-11 08:15:24,511 INFO  AbstractDelegationTokenSecretManager - Starting expired
delegation token remover thread, tokenRemoverScanInterval=60 min(s)
> {code}
> However, I don't see any delegation token removals, indicated by the following log message:
> org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager --> removeStoredToken(TokenIdent
ident), line 769 [CDH]
> {code}
>     if (LOG.isDebugEnabled()) {
>       LOG.debug("Removing ZKDTSMDelegationToken_"
>           + ident.getSequenceNumber());
>     }
> {code}
> Meanwhile, I see a lot of expired delegation tokens in Zookeeper that don't get cleaned

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message