[
https://issues.apache.org/jira/browse/HADOOP-9747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113594#comment-16113594
]
Daryn Sharp commented on HADOOP-9747:
-------------------------------------
I'd rather it not be moved out. It's not exactly a "big and risky
feature/improvement". It does offer improvements via eliminating
synchronization (all calls to getCurrentUser, getLoginUser, and relogins are
class synchronized), but incidentally fixes some esoteric
skeleton-in-the-closet potential privilege escalation. Which is more risky?
Faster and correct? Slower and vulnerable?
The basic premise is that all calls to getCurrentUser, getLoginUser, and
relogin do not need to be class synchronized. A few marketing points since my
prior bullets were design oriented.
# A UGI identity is truly immutable after inception as was originally intended.
Ie. What was the principal? From keytab or ticket cache?
# Removes instance-level synchronization since it's generally worthless
(multiple UGIs share the same Subject)
# Removes class-level synchronization by moving class static principal/keytab
into the Subject
# Add synchronization only where necessary to fix races with relogins
corrupting the Subject
# Incidentally fixes root cause of issue that inspired the completely broken
"external ugi" hack
# Multiple logged in UGIs actually work correctly due to elimination of class
statics.
# Incidentally prevents relogin of 1 UGI causing another UGI to morph (see
linked jira)
It's really not that bad. About 50% of the patch is adding lots of great tests
since UGI tests are sparse. I've been waiting 4 years to integrate this patch.
I gave up and added workarounds in the IPC layer and NN. But then along came
EZ file EDEK fetching causing high UGI contention...
> Reduce unnecessary UGI synchronization
> --------------------------------------
>
> Key: HADOOP-9747
> URL: https://issues.apache.org/jira/browse/HADOOP-9747
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-9747.2.branch-2.patch, HADOOP-9747.2.trunk.patch,
> HADOOP-9747.branch-2.patch, HADOOP-9747.trunk.patch
>
>
> Jstacks of heavily loaded NNs show up to dozens of threads blocking in the
> UGI.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
