hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-14445) Delegation tokens are not shared between KMS instances
Date Mon, 26 Mar 2018 23:02:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16414729#comment-16414729
] 

Xiao Chen edited comment on HADOOP-14445 at 3/26/18 11:01 PM:
--------------------------------------------------------------

[^HADOOP-14445.09.patch] should address all comments from Rushabh, exceptions below.

Regarding TestKMS,
{quote} 2. providersCreated:
{quote}
I disagree because even in tests we should code against interface. It's implementation detail
that {{createProvider}} only returns the KMSCP subclass of KeyProvider, and the Test code
should just handle KeyProvider for cleanness. This has been split out to HADOOP-15313 to limit
the scope, let's move further discussions there or feel free to file follow-ons.

Agreed {{LoadBalancingKMSCP#close}} should throw instead of swallow - feels like a bug. Created
HADOOP-15344 for that.
{quote}4. testTokenCompatibilityOldRenewer
{quote}
The reason for not choosing a shorter amount of time is after the renewal, we want to authenticate
using that token to all KMS instances. While a small renew interval would mean less wait,
it also poses higher risks of flaky test failures if the authentication did not run within
that time. Jenkins slaves are usually unreliable. Ideally one should find a way to haul into
the secret manager, and change intervals from the test - but that seems pretty messy to do
so left as-is. Let me know what you think.
 Also updated the test to verify it actually works with every KMCSP inside LBKMSCP.


was (Author: xiaochen):
 [^HADOOP-14445.09.patch] should address all comments from Rushabh, exceptions below.

Regarding TestKMS,
bq. 2. providersCreated: 
I disagree because even in tests we should code against interface. It's implementation detail
that {{createProvider}} only returns the KMSCP subclass of KeyProvider, and the Test code
should just handle KeyProvider for cleanness.

Agreed {{LoadBalancingKMSCP#close}} should throw instead of swallow - feels like a bug. Created
HADOOP-15344 for that.

bq. 4. testTokenCompatibilityOldRenewer
The reason for not choosing a shorter amount of time is after the renewal, we want to authenticate
using that token to all KMS instances. While a small renew interval would mean less wait,
it also poses higher risks of flaky test failures if the authentication did not run within
that time. Jenkins slaves are usually unreliable. Ideally one should find a way to haul into
the secret manager, and change intervals from the test - but that seems pretty messy to do
so left as-is. Let me know what you think.
Also updated the test to verify it actually works with every KMCSP inside LBKMSCP.

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Xiao Chen
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch,
HADOOP-14445.002.patch, HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch, HADOOP-14445.09.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share
delegation tokens. (a client uses KMS address/port as the key for delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens
too.
> Under HA, A KMS instance must verify the delegation token given by another KMS instance,
by checking the shared secret used to sign the delegation token. To do this, all KMS instances
must be able to retrieve the shared secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message