hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances
Date Wed, 24 Jan 2018 17:27:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16337925#comment-16337925

Xiao Chen commented on HADOOP-14445:

Thanks for the work here Rushabh, latest patch looks really promising! Appreciate the thorough
test coverage.

I will run some more tests with this patch on a test cluster, and will comment back.

Some comments in latest patch, mostly nits:
 * We need some sort of formal documentation on upgrading -> changing the config. Either
in docs or a detailed release note would do.
 * KMSCP: Please move the new config to KMSConfiguration.java. Also rename the variables
to be the common hadoop naming convention (xxx_KEY, xxx_DEFAULT)
 * KMSCP: typo, "then he value is read from" s/he value/the value/g
 * KMSCP: There are some extra line breaks after createKMSAuthenticatedURL.
 * KMSCP: {{containsKmsDt}}'s existing log isn't accurate. Suggest to move that to after the
{{getTokenFromCredentials}} call, and log out what token it actually got.
 * TestLoadBalancingKMSClientProvider.java: I think we don't need to set the injector during
 * TestKMS: some unused variables can be removed: line 2606 {{renewed}}, line 2653 {{kp1}}.

My 'key operations' comments meant to say we actually use the token to do something. You
happen to add the same in the new tests. :)

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Rushabh S Shah
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch,
HADOOP-14445.002.patch, HADOOP-14445.003.patch
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share
delegation tokens. (a client uses KMS address/port as the key for delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens
> Under HA, A KMS instance must verify the delegation token given by another KMS instance,
by checking the shared secret used to sign the delegation token. To do this, all KMS instances
must be able to retrieve the shared secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share delegation tokens.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message