hadoop-hdfs-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yiqun Lin (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HDFS-10436) dfs.block.access.token.enable should default on when security is !simple
Date Fri, 20 May 2016 02:13:12 GMT

    [ https://issues.apache.org/jira/browse/HDFS-10436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292544#comment-15292544
] 

Yiqun Lin edited comment on HDFS-10436 at 5/20/16 2:12 AM:
-----------------------------------------------------------

HI,[~aw], thanks for reporting this. I agree with you. If the UGI security is enabled and
you forget to enable the {{dfs.block.access.token.enable}}, then still use the default value(here
is false). And it will return null here. Like these:
{code}
  private static BlockTokenSecretManager createBlockTokenSecretManager(
      final Configuration conf) throws IOException {
    final boolean isEnabled = conf.getBoolean(
        DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, 
        DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_DEFAULT);
    LOG.info(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY + "=" + isEnabled);

    if (!isEnabled) {
      if (UserGroupInformation.isSecurityEnabled()) {
        String errMessage = "Security is enabled but block access tokens " +
            "(via " + DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY + ") " +
            "aren't enabled. This may cause issues " +
            "when clients attempt to connect to a DataNode. Aborting NameNode";
        throw new IOException(errMessage);
      }
      return null;
    }
{code}
In {{DataNode#checkSecureConfig}}, there is also a similar problem. Attach a patch for this
later.


was (Author: linyiqun):
HI,[~aw], thanks for reporting this. I agree with you. If the UGI security is enabled and
you forget to enable the {{dfs.block.access.token.enable}}, then still use the default value(here
is false). And it will cause the IOException. Like these:
{code}
  private static BlockTokenSecretManager createBlockTokenSecretManager(
      final Configuration conf) throws IOException {
    final boolean isEnabled = conf.getBoolean(
        DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, 
        DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_DEFAULT);
    LOG.info(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY + "=" + isEnabled);

    if (!isEnabled) {
      if (UserGroupInformation.isSecurityEnabled()) {
        String errMessage = "Security is enabled but block access tokens " +
            "(via " + DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY + ") " +
            "aren't enabled. This may cause issues " +
            "when clients attempt to connect to a DataNode. Aborting NameNode";
        throw new IOException(errMessage);
      }
      return null;
    }
{code}
In {{DataNode#checkSecureConfig}}, there is also a similar problem. Attach a patch for this.

> dfs.block.access.token.enable should default on when security is !simple
> ------------------------------------------------------------------------
>
>                 Key: HDFS-10436
>                 URL: https://issues.apache.org/jira/browse/HDFS-10436
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, namenode
>    Affects Versions: 3.0.0-alpha1
>            Reporter: Allen Wittenauer
>            Assignee: Yiqun Lin
>
> Unless there is a valid configuration where dfs.block.access.token.enable is off and
security is on, then rather than shutdown we should just enable the block access tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org


Mime
View raw message