hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances
Date Thu, 16 Aug 2018 03:35:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581894#comment-16581894
] 

Xiao Chen commented on HADOOP-14445:
------------------------------------

Thanks all for reviewing this. Look forward to Daryn's active reviews, will address comments
together..

Clarifications on the questions:
{quote}If the order of the kms instances change between renew for the long running process?
Will the token selector still be able to find the matching token (AbstractDelegationTokenSelector#selectToken())
to renew? Should we define a logical kms uri to represent KMS HA instances to avoid this?
{quote}
Good question. You're right that when the url changes, the selection wouldn't work. My collection
from the earlier discussion was that this was deemed an acceptable behavior. See discussions
above, until [this comment|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16033492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16033492].

{quote}
L347 in DelegationTokenAuthenticatedURL#selectDelegationToken will return a service in ip:port
or host:port format (not uri). So creds.getToken(service) in next line may not return the
HA KMS DT as service name will be in URI format. 
{quote}
The goal of this jira is to add this new format, while maintaining backwards compatibility.
This means if the new software runs with old software (when the config {{hadoop.security.kms.client.token.use.uri.format}}
isn't changed), it would behave the same. Hence the {{DelegationTokenAuthenticatedURL#selectDelegationToken}}
is simply a code refactor.

The reason for that refactor is that, we can override this behavior in KMSCP and work our
way for the new format. The reason it falls back to DTAURL to select token is for compat.

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Xiao Chen
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch,
HADOOP-14445.002.patch, HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch, HADOOP-14445.09.patch,
HADOOP-14445.10.patch, HADOOP-14445.11.patch, HADOOP-14445.12.patch, HADOOP-14445.13.patch,
HADOOP-14445.14.patch, HADOOP-14445.15.patch, HADOOP-14445.16.patch, HADOOP-14445.branch-2.000.precommit.patch,
HADOOP-14445.branch-2.001.precommit.patch, HADOOP-14445.branch-2.01.patch, HADOOP-14445.branch-2.02.patch,
HADOOP-14445.branch-2.03.patch, HADOOP-14445.branch-2.04.patch, HADOOP-14445.branch-2.05.patch,
HADOOP-14445.branch-2.06.patch, HADOOP-14445.branch-2.8.003.patch, HADOOP-14445.branch-2.8.004.patch,
HADOOP-14445.branch-2.8.005.patch, HADOOP-14445.branch-2.8.006.patch, HADOOP-14445.branch-2.8.revert.patch,
HADOOP-14445.revert.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share
delegation tokens. (a client uses KMS address/port as the key for delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens
too.
> Under HA, A KMS instance must verify the delegation token given by another KMS instance,
by checking the shared secret used to sign the delegation token. To do this, all KMS instances
must be able to retrieve the shared secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message