You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Bharat Viswanadham (Jira)" <ji...@apache.org> on 2020/04/30 21:43:00 UTC

[jira] [Resolved] (HDDS-3515) Ensure consistent OM token service field in HA environment

     [ https://issues.apache.org/jira/browse/HDDS-3515?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bharat Viswanadham resolved HDDS-3515.
--------------------------------------
    Fix Version/s: 0.6.0
       Resolution: Fixed

> Ensure consistent OM token service field in HA environment
> ----------------------------------------------------------
>
>                 Key: HDDS-3515
>                 URL: https://issues.apache.org/jira/browse/HDDS-3515
>             Project: Hadoop Distributed Data Store
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 0.5.0
>            Reporter: Namit Maheshwari
>            Assignee: Xiaoyu Yao
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 0.6.0
>
>
> Currently OMFailoverProxyProvider#computeDelegationTokenService calculate the canonical token service name based on the enumeration order of the configured OM instances. An example service field can be like TS1: "om1addr:port,om2addr:port,om3addr:port"
> This could be problematic
> 1) clients have different omId to omRpcAddresses mappings
> 2) configuration enumeration orders are different among clients
> Depend on the client configuration and enumeration order, the client may got its canonnical token service in different order like TS2: "om2addr:port,om1addr:port,om3:addr:port"
> MR/Yarn/Spark on Yarn relies on token service as key to check the UGI credential when building token cache map. When client got TS2 even though it has an OM token with TS1, client will try to collect OM token again. This will not work in YARN container (e.g., Spark on Yarn cluster mode) which may not have the kerberos ticket to fetch the token.
> The proposed fix it to provide a consistent canonical token service for all OM clients in order.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org