Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 48186200BA9 for ; Sun, 23 Oct 2016 20:13:00 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 4693B160AFC; Sun, 23 Oct 2016 18:13:00 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8B647160ADF for ; Sun, 23 Oct 2016 20:12:59 +0200 (CEST) Received: (qmail 71059 invoked by uid 500); 23 Oct 2016 18:12:58 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 71039 invoked by uid 99); 23 Oct 2016 18:12:58 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 23 Oct 2016 18:12:58 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 7042F2C014E for ; Sun, 23 Oct 2016 18:12:58 +0000 (UTC) Date: Sun, 23 Oct 2016 18:12:58 +0000 (UTC) From: "Xiaoyu Yao (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-13749) KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sun, 23 Oct 2016 18:13:00 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiaoyu Yao updated HADOOP-13749: -------------------------------- Resolution: Fixed Fix Version/s: 3.0.0-alpha2 2.8.0 Status: Resolved (was: Patch Available) Fix committed to trunk, branch-2 and branch-2.8. Thanks all! > KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used > ----------------------------------------------------------------------------------- > > Key: HADOOP-13749 > URL: https://issues.apache.org/jira/browse/HADOOP-13749 > Project: Hadoop Common > Issue Type: Bug > Reporter: Sergey Shelukhin > Assignee: Xiaoyu Yao > Priority: Critical > Fix For: 2.8.0, 3.0.0-alpha2 > > Attachments: HADOOP-13749.00.patch, HDFS-10757.00.patch, HDFS-10757.01.patch, HDFS-10757.02.patch, HDFS-10757.03.patch > > > ClientContext::get gets the context from CACHE via a config setting based name, then KeyProviderCache stored in ClientContext gets the key provider cached by URI from the configuration, too. These would return the same KeyProvider regardless of current UGI. > KMSClientProvider caches the UGI (actualUgi) in ctor; that means in particular that all the users of DFS with KMSClientProvider in a process will get the KMS token (along with other credentials) of the first user, via the above cache. > Either KMSClientProvider shouldn't store the UGI, or one of the caches should be UGI-aware, like the FS object cache. > Side note: the comment in createConnection that purports to handle the different UGI doesn't seem to cover what it says it covers. In our case, we have two unrelated UGIs with no auth (createRemoteUser) with bunch of tokens, including a KMS token, added. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org