hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arun Suresh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14441) LoadBalancingKMSClientProvider#addDelegationTokens should add delegation tokens from all KMS instances
Date Mon, 22 May 2017 23:01:04 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16020356#comment-16020356
] 

Arun Suresh commented on HADOOP-14441:
--------------------------------------

[~shahrs87], have you tried this by any chance ?
bq. First time we get a DT from any one of the kms instances, we store the same DT against
ALL the service urls in the user credential. This would require the ZKDTSM to be configured,
to replicate the DT to all kms instances.
And yeah, the LBKMSClientProvider requires all services to use the same port.

> LoadBalancingKMSClientProvider#addDelegationTokens should add delegation tokens from
all KMS instances
> ------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-14441
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14441
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.7.0
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Wei-Chiu Chuang
>         Attachments: HADOOP-14441.001.patch, HADOOP-14441.002.patch, HADOOP-14441.003.patch
>
>
> LoadBalancingKMSClientProvider only gets delegation token from one KMS instance, in a
round-robin fashion. This is arguably a bug, as JavaDoc for {{KeyProviderDelegationTokenExtension#addDelegationTokens}}
states:
> {quote}
> /**
>      * The implementer of this class will take a renewer and add all
>      * delegation tokens associated with the renewer to the 
>      * <code>Credentials</code> object if it is not already present, 
> ...
> **/
> {quote}
> This bug doesn't pop up very often, because HDFS clients such as MapReduce unintentionally
calls {{FileSystem#addDelegationTokens}} multiple times.
> We have a custom client that accesses HDFS/KMS-HA using delegation token, and we were
puzzled why it always throws "Failed to find any Kerberos tgt" exceptions talking to one KMS
but not the other. Turns out that client couldn't talk to the KMS because {{FileSystem#addDelegationTokens}}
only gets one KMS delegation token at a time.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message