Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C6561160C09 for ; Tue, 2 Jan 2018 22:03:05 +0100 (CET) Received: (qmail 21906 invoked by uid 500); 2 Jan 2018 21:03:04 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 21895 invoked by uid 99); 2 Jan 2018 21:03:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jan 2018 21:03:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 1794B180786 for ; Tue, 2 Jan 2018 21:03:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -107.211 X-Spam-Level: X-Spam-Status: No, score=-107.211 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id YV2N4rXzl9QE for ; Tue, 2 Jan 2018 21:03:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id D3D025F3E1 for ; Tue, 2 Jan 2018 21:03:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id BD1ABE0AA3 for ; Tue, 2 Jan 2018 21:03:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 62D20212F8 for ; Tue, 2 Jan 2018 21:03:00 +0000 (UTC) Date: Tue, 2 Jan 2018 21:03:00 +0000 (UTC) From: "Rushabh S Shah (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 02 Jan 2018 21:03:06 -0000 [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16308703#comment-16308703 ] Rushabh S Shah commented on HADOOP-14445: ----------------------------------------- Thanks [~xiaochen] for the review. bq. There is also 1 thing that I think missed in the recent compat discussions: That is an excellent catch. The general contract for hadoop upgrade is client should be the last one to upgrade after all the servers are upgraded. But this argument doesn't hold true for multi cluster support. We need to support that. Personally I don't like the idea of duplicatiing the tokens with different service fields because once the token lifetime expires, RM will have to renew 2 tokens instead of one. One way I can think is have a conf like {{hadoop.kms.token.use.new.format}} and treat this release as bridge release. Default this conf to false. If the conf value is false, the client will create the token with old format. KMSCP will have support for renewing/cancelling both format of tokens. Once all the servers, clients, servers and all the clusters are upgraded, set the conf value to true. If the conf value is true, it will add the token with new format. I am also not a big supporter of conf based solutions but to ensure backwards compatibility I am proposing this. Xiao: Let me know what you think. Daryn is not back from vacation. He should be in tomorrow. I will discuss with him tomorrow and will update the ticket. I will address all the review comments in next patch when we have clear way for fixing the last compatibility issue. > Delegation tokens are not shared between KMS instances > ------------------------------------------------------ > > Key: HADOOP-14445 > URL: https://issues.apache.org/jira/browse/HADOOP-14445 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.8.0, 3.0.0-alpha1 > Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption > Reporter: Wei-Chiu Chuang > Assignee: Rushabh S Shah > Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch > > > As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share delegation tokens. (a client uses KMS address/port as the key for delegation token) > {code:title=DelegationTokenAuthenticatedURL#openConnection} > if (!creds.getAllTokens().isEmpty()) { > InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), > url.getPort()); > Text service = SecurityUtil.buildTokenService(serviceAddr); > dToken = creds.getToken(service); > {code} > But KMS doc states: > {quote} > Delegation Tokens > Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens too. > Under HA, A KMS instance must verify the delegation token given by another KMS instance, by checking the shared secret used to sign the delegation token. To do this, all KMS instances must be able to retrieve the shared secret from ZooKeeper. > {quote} > We should either update the KMS documentation, or fix this code to share delegation tokens. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org