hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiaoyu Yao (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14987) Improve KMSClientProvider log around delegation token checking
Date Mon, 30 Oct 2017 22:42:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225874#comment-16225874

Xiaoyu Yao commented on HADOOP-14987:

Thanks [~xiaochen] for the review. This additional line was added mainly for the TestLoadBalancingKMSClientProvider#testCreation
where the provider creation tests uses kmsUrl without proper port. In production, the key.provider.uri
should always have a valid port toward the KMS server. 

I'm hesitant to annotate the new API with @InterfaceAudience.Private because this may be useful
for upstream projects such as MR/Hive/Spark, etc. for debugging token and UGI related code.
The original one is kept to handle the case where the caller may not have a log instance.
As a result, UGI log is used as a fallback.

> Improve KMSClientProvider log around delegation token checking
> --------------------------------------------------------------
>                 Key: HADOOP-14987
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14987
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 2.7.3
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>         Attachments: HADOOP-14987.001.patch, HADOOP-14987.002.patch
> KMSClientProvider#containsKmsDt uses SecurityUtil.buildTokenService(addr) to build the
key to look for KMS-DT from the UGI's token map. The token lookup key here varies depending
 on the KMSClientProvider's configuration value for hadoop.security.token.service.use_ip.
In certain cases, the token obtained with non-matching hadoop.security.token.service.use_ip
setting will not be recognized by KMSClientProvider. This ticket is opened to improve logs
for troubleshooting KMS delegation token related issues like this.  

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message