Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 7A736200CBC for ; Tue, 30 May 2017 19:27:10 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7900B160BB1; Tue, 30 May 2017 17:27:10 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C22E3160BDC for ; Tue, 30 May 2017 19:27:09 +0200 (CEST) Received: (qmail 22433 invoked by uid 500); 30 May 2017 17:27:07 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 22422 invoked by uid 99); 30 May 2017 17:27:07 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 May 2017 17:27:07 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E9D6E180535 for ; Tue, 30 May 2017 17:27:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id V0Lo_qKiQVdv for ; Tue, 30 May 2017 17:27:06 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id BEC195FDAD for ; Tue, 30 May 2017 17:27:05 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id EC86BE0D99 for ; Tue, 30 May 2017 17:27:04 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 55EDE21B60 for ; Tue, 30 May 2017 17:27:04 +0000 (UTC) Date: Tue, 30 May 2017 17:27:04 +0000 (UTC) From: "Yongjun Zhang (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 30 May 2017 17:27:10 -0000 [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029793#comment-16029793 ] Yongjun Zhang commented on HADOOP-14445: ---------------------------------------- Thanks much [~shahrs87]. My thinking is: For clients which are running without the fix, the behavior will be the same as before; For clients which are started after installing the fix, the tokens will be stored with the new key; If different pieces of a client job are running with different software (some has the fix, some don't), then fallback may or may not work. Does this make sense to you? Maybe we can add the tokens with both the old key and new key, then apply fallback when needed, so fallback will be successful? [~asuresh]'s #2 proposal at https://issues.apache.org/jira/browse/HADOOP-14441?focusedCommentId=16019893&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16019893 seems more robust, but I'm not sure how involved this solution is too. Thanks. > Delegation tokens are not shared between KMS instances > ------------------------------------------------------ > > Key: HADOOP-14445 > URL: https://issues.apache.org/jira/browse/HADOOP-14445 > Project: Hadoop Common > Issue Type: Bug > Components: documentation, kms > Affects Versions: 2.8.0, 3.0.0-alpha1 > Reporter: Wei-Chiu Chuang > Assignee: Rushabh S Shah > Attachments: HADOOP-14445-branch-2.8.patch > > > As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share delegation tokens. (a client uses KMS address/port as the key for delegation token) > {code:title=DelegationTokenAuthenticatedURL#openConnection} > if (!creds.getAllTokens().isEmpty()) { > InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), > url.getPort()); > Text service = SecurityUtil.buildTokenService(serviceAddr); > dToken = creds.getToken(service); > {code} > But KMS doc states: > {quote} > Delegation Tokens > Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens too. > Under HA, A KMS instance must verify the delegation token given by another KMS instance, by checking the shared secret used to sign the delegation token. To do this, all KMS instances must be able to retrieve the shared secret from ZooKeeper. > {quote} > We should either update the KMS documentation, or fix this code to share delegation tokens. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org