hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-14441) LoadBalancingKMSClientProvider#addDelegationTokens should add delegation tokens from all KMS instances
Date Fri, 19 May 2017 19:18:04 GMT
Wei-Chiu Chuang created HADOOP-14441:
----------------------------------------

             Summary: LoadBalancingKMSClientProvider#addDelegationTokens should add delegation
tokens from all KMS instances
                 Key: HADOOP-14441
                 URL: https://issues.apache.org/jira/browse/HADOOP-14441
             Project: Hadoop Common
          Issue Type: Bug
          Components: kms
    Affects Versions: 2.7.0
         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
            Reporter: Wei-Chiu Chuang
            Assignee: Wei-Chiu Chuang


LoadBalancingKMSClientProvider only gets delegation token from one KMS instance, in a round-robin
fashion. This is arguably a bug, as JavaDoc for {{KeyProviderDelegationTokenExtension#addDelegationTokens}}
states:
{quote}
/**
     * The implementer of this class will take a renewer and add all
     * delegation tokens associated with the renewer to the 
     * <code>Credentials</code> object if it is not already present, 
...

**/
{quote}

This bug doesn't pop up very often, because HDFS clients such as MapReduce unintentionally
calls {{FileSystem#addDelegationTokens}} multiple times.

We have a custom client that accesses HDFS/KMS-HA using delegation token, and we were puzzled
why it always throws "Failed to find any Kerberos tgt" exceptions talking to one KMS but not
the other. Turns out that client couldn't talk to the KMS because {{FileSystem#addDelegationTokens}}
only gets one KMS delegation token at a time.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message