Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 6781F200D15 for ; Thu, 5 Oct 2017 21:56:04 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 668BA160BDA; Thu, 5 Oct 2017 19:56:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id ABDD21609D2 for ; Thu, 5 Oct 2017 21:56:03 +0200 (CEST) Received: (qmail 15946 invoked by uid 500); 5 Oct 2017 19:56:02 -0000 Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list hdfs-issues@hadoop.apache.org Received: (qmail 15934 invoked by uid 99); 5 Oct 2017 19:56:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Oct 2017 19:56:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 7A70ACEB08 for ; Thu, 5 Oct 2017 19:56:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id FSZIAg1yqviu for ; Thu, 5 Oct 2017 19:56:00 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 02DC65FCB9 for ; Thu, 5 Oct 2017 19:56:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 83BCEE0D6A for ; Thu, 5 Oct 2017 19:56:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 3785924327 for ; Thu, 5 Oct 2017 19:56:00 +0000 (UTC) Date: Thu, 5 Oct 2017 19:56:00 +0000 (UTC) From: "Xiaoyu Yao (JIRA)" To: hdfs-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Moved] (HDFS-12600) CLONE - KMSClientProvider won't work with KMS delegation token retrieved from non-Java client. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 05 Oct 2017 19:56:04 -0000 [ https://issues.apache.org/jira/browse/HDFS-12600?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiaoyu Yao moved HADOOP-14933 to HDFS-12600: -------------------------------------------- Issue Type: Improvement (was: Bug) Key: HDFS-12600 (was: HADOOP-14933) Project: Hadoop HDFS (was: Hadoop Common) > CLONE - KMSClientProvider won't work with KMS delegation token retrieved from non-Java client. > ---------------------------------------------------------------------------------------------- > > Key: HDFS-12600 > URL: https://issues.apache.org/jira/browse/HDFS-12600 > Project: Hadoop HDFS > Issue Type: Improvement > Reporter: Xiaoyu Yao > Assignee: Xiaoyu Yao > > HADOOP-13381 added support to use KMS delegation token to connect to KMS server for key operations. However, the logic to check if the UGI container KMS delegation token assumes that the token must contain a service attribute. Otherwise, a KMS delegation token won't be recognized. > For delegation token obtained via non-java client such curl (http), the default DelegationTokenAuthenticationHandler only support *renewer* parameter and assume the client itself will add the service attribute. This makes a java client with KMSClientProvdier can't use for KMS delegation token retrieved form non-java client because the token does not contain a service attribute. > I did some investigation on this and found two solutions: > 1. Similar use case exists for webhdfs, and webhdfs supports it with a ["service" parameter|https://hadoop.apache.org/docs/r2.8.0/hadoop-project-dist/hadoop-hdfs/WebHDFS.html#Get_Delegation_Token]. > We can do this similarly by allowing client to specify a service attribute in the request URL and included in the token returned like webhdfs. Even though this will change in DelegationTokenAuthenticationHandler and may affect many other web component, this seems to be a clean and low risk solution because it will be an optional parameter. Also, other components get non-java client interop support for free if they have the similar use case. > 2. The other way to solve this is to release the token check in KMSClientProvider to check only the token kind instead of the service. This is an easy work around but seems less optimal to me. > cc: [~xiaochen] for additional input. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org