You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Tianyin Xu (JIRA)" <ji...@apache.org> on 2015/12/19 03:13:46 UTC

[jira] [Created] (HADOOP-12659) Incorrect usage of config parameters in token manager of KMS

Tianyin Xu created HADOOP-12659:
-----------------------------------

             Summary: Incorrect usage of config parameters in token manager of KMS
                 Key: HADOOP-12659
                 URL: https://issues.apache.org/jira/browse/HADOOP-12659
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
    Affects Versions: 2.6.2, 2.7.1
            Reporter: Tianyin Xu


Hi, the usage of the following configs of Key Management Server (KMS) are problematic: 
{{hadoop.kms.authentication.delegation-token.renew-interval.sec}}
{{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}}

The name indicates that the units are {{sec}}, and the online doc shows that the default values are {{86400}} and {{3600}}, respectively.
https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
which is also defined in
{code:title=DelegationTokenManager.java|borderStyle=solid}
 55   public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec";
 56   public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60;
 ...
 58   public static final String REMOVAL_SCAN_INTERVAL = PREFIX +
 59       "removal-scan-interval.sec";
 60   public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60;
{code}

However, in {{DelegationTokenManager.java}} and {{ZKDelegationTokenSecretManager.java}}, these two parameters are used incorrectly.

1. *{{DelegationTokenManager.java}}*
{code}
 70           conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000,
 71           conf.getLong(REMOVAL_SCAN_INTERVAL, 
 72               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
{code}

Apparently, at Line 72, {{REMOVAL_SCAN_INTERVAL}} should be used in the same way as {{RENEW_INTERVAL}}, like
{code}
72c72
<               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
---
>               REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
{code}
Currently, the unit of {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} is not {{sec}} but {{millisec}}.

2. *{{ZKDelegationTokenSecretManager.java}}*
{code}
142         conf.getLong(DelegationTokenManager.RENEW_INTERVAL,
143             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
144         conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL,
145             DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
{code}
 The situation is the opposite in this class that {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} is wrong but the other is correct...
A patch should be like
{code}
143c143
<             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
---
>             DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000,
{code}

Thanks!




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)