[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16269164#comment-16269164
]
Xiao Chen edited comment on HADOOP-14445 at 11/28/17 6:05 PM:
--------------------------------------------------------------
Thanks for the offering [~shahrs87], totally fine if you want to update the
patch - I just want momentum on this. :)
For compatibility, I think we need:
- old client works with new format token
- old client renewer works with new token
- new client works with old format token
- new client renewer works with old format token (the RM case you commented)
This is rather exhaustive, but IMO necessary to support rolling upgrade and
clients that talks to multiple clusters.
I'll review HDFS-12355 and related jiras.
was (Author: xiaochen):
Thanks for the offering [~shahrs87], totally fine if you want to update the
patch - I just want momentum on this. :)
For compatibility, I think we need:
- old client works with new format token
- old client renewer works with new token (the RM case you commented)
- new client works with old format token
- new client renewer works with old format token
This is rather exhaustive, but IMO necessary to support rolling upgrade and
clients that talks to multiple clusters.
I'll review HDFS-12355 and related jiras.
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: documentation, kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Reporter: Wei-Chiu Chuang
> Assignee: Rushabh S Shah
> Attachments: HADOOP-14445-branch-2.8.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
