[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029562#comment-16029562
]
Rushabh S Shah commented on HADOOP-14445:
-----------------------------------------
[~yzhangal]: I understand that comments are not adequate in this patch.
I submitted this patch just for iteration purpose.
I will add verbose comments in my next patch.
Thanks for the quick reviews [~jojochuang] [~yzhangal].
bq. And if we replace an existing kms server with a different one, currently
running application may fail. So the KMS HA may not be really HA.
Also the current patch is incompatible since the new kms clients won't be able
to find the token which in the format of {{ip:port}}.
We can fallback to old behavior just by adding an if clause saying if we don't
find a token with the new format, fallback to old format.
In this way, we will be able to address the incompatibility.
Let me know if you have any feedback. Once again thank you all !!
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: documentation, kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Reporter: Wei-Chiu Chuang
> Assignee: Rushabh S Shah
> Attachments: HADOOP-14445-branch-2.8.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
