hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances
Date Mon, 29 Jan 2018 22:13:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344105#comment-16344105
] 

Xiao Chen commented on HADOOP-14445:
------------------------------------

Thanks [~daryn] for circling back with the new idea. Mixed feeling (and head scratching)!
:)

I think a new and standardized token kind should work, and conveniently eliminate the need
for changing client configs, so SGTM. We may also check in the RM, when its {{DelegationTokenRenewer}}
received a set of tokens, and there are both kms-dt and KMS_D_T with the same sequence number,
only renew the KMS_D_T.
For that to work, we'd need a new {{KMSDelegationTokenIdentifier}} class and a new {{DelegationTokenAuthenticationHandler}}
too. 

Curious: with the current approach (patch 3) we need just an additional config deployment
after the upgrade, right? What changed your mind from [earlier|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16279134&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16279134]
(assuming the implementation comments are addressed) ?

I'd rather prefer not to sacrifice old RM + new client. True for RU should still work, but
there is still support burden for a new client connecting to an existing cluster. Token issues
are not the easiest to figure out, and IMO we should avoid this case when we can.

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Rushabh S Shah
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch,
HADOOP-14445.002.patch, HADOOP-14445.003.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share
delegation tokens. (a client uses KMS address/port as the key for delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens
too.
> Under HA, A KMS instance must verify the delegation token given by another KMS instance,
by checking the shared secret used to sign the delegation token. To do this, all KMS instances
must be able to retrieve the shared secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message