hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14104) Client should always ask namenode for kms provider path.
Date Wed, 15 Nov 2017 23:43:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16254466#comment-16254466

Daryn Sharp commented on HADOOP-14104:

bq. Having identical nameservices for multiple clusters is arguably a mis-configuration
No arguably, it is a misconfiguration.

Instead of adding more complexity like guids to an already terrible idea – a conf-based
nameservice which is ironically what allows this problem to exist – in an attempt to disambiguate
the shared name,  I have a simpler solution: _uniquely name your clusters_.  There's nothing
to fix.

As trivia: RPC has the same "issue", although it's not as evident due to persistent connections
unlike the kms & http.  If the RPC connection goes down (idle closes, connection issue,
retriable exception, etc), it's going to reconnect with a token, possibly the wrong token
because it was for the other NN.

> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>                 Key: HADOOP-14104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14104
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>             Fix For: 2.9.0, 3.0.0-alpha4, 2.8.2
>         Attachments: HADOOP-14104-branch-2.8.patch, HADOOP-14104-branch-2.patch, HADOOP-14104-trunk-v1.patch,
HADOOP-14104-trunk-v2.patch, HADOOP-14104-trunk-v3.patch, HADOOP-14104-trunk-v4.patch, HADOOP-14104-trunk-v5.patch,
> According to current implementation of kms provider in client conf, there can only be
one kms.
> In multi-cluster environment, if a client is reading encrypted data from multiple clusters
it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message