You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Tianyin Xu (JIRA)" <ji...@apache.org> on 2015/12/19 03:13:46 UTC
[jira] [Created] (HADOOP-12659) Incorrect usage of config
parameters in token manager of KMS
Tianyin Xu created HADOOP-12659:
-----------------------------------
Summary: Incorrect usage of config parameters in token manager of KMS
Key: HADOOP-12659
URL: https://issues.apache.org/jira/browse/HADOOP-12659
Project: Hadoop Common
Issue Type: Bug
Components: security
Affects Versions: 2.6.2, 2.7.1
Reporter: Tianyin Xu
Hi, the usage of the following configs of Key Management Server (KMS) are problematic:
{{hadoop.kms.authentication.delegation-token.renew-interval.sec}}
{{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}}
The name indicates that the units are {{sec}}, and the online doc shows that the default values are {{86400}} and {{3600}}, respectively.
https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
which is also defined in
{code:title=DelegationTokenManager.java|borderStyle=solid}
55 public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec";
56 public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60;
...
58 public static final String REMOVAL_SCAN_INTERVAL = PREFIX +
59 "removal-scan-interval.sec";
60 public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60;
{code}
However, in {{DelegationTokenManager.java}} and {{ZKDelegationTokenSecretManager.java}}, these two parameters are used incorrectly.
1. *{{DelegationTokenManager.java}}*
{code}
70 conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000,
71 conf.getLong(REMOVAL_SCAN_INTERVAL,
72 REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
{code}
Apparently, at Line 72, {{REMOVAL_SCAN_INTERVAL}} should be used in the same way as {{RENEW_INTERVAL}}, like
{code}
72c72
< REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
---
> REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
{code}
Currently, the unit of {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} is not {{sec}} but {{millisec}}.
2. *{{ZKDelegationTokenSecretManager.java}}*
{code}
142 conf.getLong(DelegationTokenManager.RENEW_INTERVAL,
143 DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
144 conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL,
145 DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
{code}
The situation is the opposite in this class that {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} is wrong but the other is correct...
A patch should be like
{code}
143c143
< DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
---
> DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000,
{code}
Thanks!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)