hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances
Date Thu, 11 Oct 2018 15:27:02 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16646609#comment-16646609
] 

Daryn Sharp commented on HADOOP-14445:
--------------------------------------

[~xiaochen] Sorry for the delay.  I did a quick review of the diff of the diffs.  I think
it looks good, no substantive changes, nice tests!  +1 pending fixing the logging changes.
# There's a debug log that uses {{creds.getAllTokens()}}.  Be mindful to avoid computation
that in the common case is not necessary.  I'd remove it but you could wrap with check for
debug enabled.
# Don't log things like token creation, setting of service, etc at the info level.  The kms
client shouldn't be so noisy about things normal users don't care about.

Feels a bit odd approving my own patch, but I suppose I'm giving +1 to tests and you can +1
the code.

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Xiao Chen
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch,
HADOOP-14445.002.patch, HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch, HADOOP-14445.09.patch,
HADOOP-14445.10.patch, HADOOP-14445.11.patch, HADOOP-14445.12.patch, HADOOP-14445.13.patch,
HADOOP-14445.14.patch, HADOOP-14445.15.patch, HADOOP-14445.16.patch, HADOOP-14445.17.patch,
HADOOP-14445.18.patch, HADOOP-14445.19.patch, HADOOP-14445.branch-2.000.precommit.patch, HADOOP-14445.branch-2.001.precommit.patch,
HADOOP-14445.branch-2.01.patch, HADOOP-14445.branch-2.02.patch, HADOOP-14445.branch-2.03.patch,
HADOOP-14445.branch-2.04.patch, HADOOP-14445.branch-2.05.patch, HADOOP-14445.branch-2.06.patch,
HADOOP-14445.branch-2.8.003.patch, HADOOP-14445.branch-2.8.004.patch, HADOOP-14445.branch-2.8.005.patch,
HADOOP-14445.branch-2.8.006.patch, HADOOP-14445.branch-2.8.revert.patch, HADOOP-14445.compat.patch,
HADOOP-14445.revert.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share
delegation tokens. (a client uses KMS address/port as the key for delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens
too.
> Under HA, A KMS instance must verify the delegation token given by another KMS instance,
by checking the shared secret used to sign the delegation token. To do this, all KMS instances
must be able to retrieve the shared secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message