From common-issues-return-156251-archive-asf-public=cust-asf.ponee.io@hadoop.apache.org Thu Aug 16 05:35:04 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 1C880180626 for ; Thu, 16 Aug 2018 05:35:03 +0200 (CEST) Received: (qmail 82548 invoked by uid 500); 16 Aug 2018 03:35:03 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 82537 invoked by uid 99); 16 Aug 2018 03:35:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Aug 2018 03:35:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 462ABC76D8 for ; Thu, 16 Aug 2018 03:35:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -110.301 X-Spam-Level: X-Spam-Status: No, score=-110.301 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id hZpulXfJCV6U for ; Thu, 16 Aug 2018 03:35:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 447FE5F3B7 for ; Thu, 16 Aug 2018 03:35:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B18AEE0177 for ; Thu, 16 Aug 2018 03:35:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 690DD23F9E for ; Thu, 16 Aug 2018 03:35:00 +0000 (UTC) Date: Thu, 16 Aug 2018 03:35:00 +0000 (UTC) From: "Xiao Chen (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581894#comment-16581894 ] Xiao Chen commented on HADOOP-14445: ------------------------------------ Thanks all for reviewing this. Look forward to Daryn's active reviews, will address comments together.. Clarifications on the questions: {quote}If the order of the kms instances change between renew for the long running process? Will the token selector still be able to find the matching token (AbstractDelegationTokenSelector#selectToken()) to renew? Should we define a logical kms uri to represent KMS HA instances to avoid this? {quote} Good question. You're right that when the url changes, the selection wouldn't work. My collection from the earlier discussion was that this was deemed an acceptable behavior. See discussions above, until [this comment|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16033492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16033492]. {quote} L347 in DelegationTokenAuthenticatedURL#selectDelegationToken will return a service in ip:port or host:port format (not uri). So creds.getToken(service) in next line may not return the HA KMS DT as service name will be in URI format. {quote} The goal of this jira is to add this new format, while maintaining backwards compatibility. This means if the new software runs with old software (when the config {{hadoop.security.kms.client.token.use.uri.format}} isn't changed), it would behave the same. Hence the {{DelegationTokenAuthenticatedURL#selectDelegationToken}} is simply a code refactor. The reason for that refactor is that, we can override this behavior in KMSCP and work our way for the new format. The reason it falls back to DTAURL to select token is for compat. > Delegation tokens are not shared between KMS instances > ------------------------------------------------------ > > Key: HADOOP-14445 > URL: https://issues.apache.org/jira/browse/HADOOP-14445 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.8.0, 3.0.0-alpha1 > Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption > Reporter: Wei-Chiu Chuang > Assignee: Xiao Chen > Priority: Major > Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch, HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch, HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch, HADOOP-14445.09.patch, HADOOP-14445.10.patch, HADOOP-14445.11.patch, HADOOP-14445.12.patch, HADOOP-14445.13.patch, HADOOP-14445.14.patch, HADOOP-14445.15.patch, HADOOP-14445.16.patch, HADOOP-14445.branch-2.000.precommit.patch, HADOOP-14445.branch-2.001.precommit.patch, HADOOP-14445.branch-2.01.patch, HADOOP-14445.branch-2.02.patch, HADOOP-14445.branch-2.03.patch, HADOOP-14445.branch-2.04.patch, HADOOP-14445.branch-2.05.patch, HADOOP-14445.branch-2.06.patch, HADOOP-14445.branch-2.8.003.patch, HADOOP-14445.branch-2.8.004.patch, HADOOP-14445.branch-2.8.005.patch, HADOOP-14445.branch-2.8.006.patch, HADOOP-14445.branch-2.8.revert.patch, HADOOP-14445.revert.patch > > > As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share delegation tokens. (a client uses KMS address/port as the key for delegation token) > {code:title=DelegationTokenAuthenticatedURL#openConnection} > if (!creds.getAllTokens().isEmpty()) { > InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), > url.getPort()); > Text service = SecurityUtil.buildTokenService(serviceAddr); > dToken = creds.getToken(service); > {code} > But KMS doc states: > {quote} > Delegation Tokens > Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens too. > Under HA, A KMS instance must verify the delegation token given by another KMS instance, by checking the shared secret used to sign the delegation token. To do this, all KMS instances must be able to retrieve the shared secret from ZooKeeper. > {quote} > We should either update the KMS documentation, or fix this code to share delegation tokens. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org