You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Xiaoyu Yao (Jira)" <ji...@apache.org> on 2020/04/30 16:38:00 UTC
[jira] [Created] (HDDS-3515) Ensure consistent OM token service
field in HA environment
Xiaoyu Yao created HDDS-3515:
--------------------------------
Summary: Ensure consistent OM token service field in HA environment
Key: HDDS-3515
URL: https://issues.apache.org/jira/browse/HDDS-3515
Project: Hadoop Distributed Data Store
Issue Type: Bug
Components: Security
Affects Versions: 0.5.0
Reporter: Namit Maheshwari
Assignee: Xiaoyu Yao
Currently OMFailoverProxyProvider#computeDelegationTokenService calculate the canonical token service name based on the enumeration order of the configured OM instances. An example service field can be like TS1: "om1addr:port,om2addr:port,om3addr:port"
This could be problematic
1) clients have different omId to omRpcAddresses mappings
2) configuration enumeration orders are different among clients
Depend on the client configuration and enumeration order, the client may got its canonnical token service in different order like TS2: "om2addr:port,om1addr:port,om3:addr:port"
MR/Yarn/Spark on Yarn relies on token service as key to check the UGI credential when building token cache map. When client got TS2 even though it has an OM token with TS1, client will try to collect OM token again. This will not work in YARN container (e.g., Spark on Yarn cluster mode) which may not have the kerberos ticket to fetch the token.
The proposed fix it to provide a consistent canonical token service for all OM clients in order.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: ozone-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: ozone-issues-help@hadoop.apache.org