You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Xiaoyu Yao (JIRA)" <ji...@apache.org> on 2016/10/23 15:40:59 UTC

[jira] [Comment Edited] (HADOOP-13749) KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used

    [ https://issues.apache.org/jira/browse/HADOOP-13749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15599835#comment-15599835 ] 

Xiaoyu Yao edited comment on HADOOP-13749 at 10/23/16 3:40 PM:
---------------------------------------------------------------

Thanks [~brahma] for reporting the issue. HADOOP-13748 is a test bug that was surfaced with this change. 
I've revert this one from trunk, branch-2 and branch-2.8 and convert it to hadoop common. 
The new patch attached include the original change from HDFS-10757 and the unit test fix for TestKMS. Please review. Thanks!


was (Author: xyao):
Thanks [~brahma] for reporting the issue. HADOOP-13748 is a test bug that was surfaced with this change. 
I've revert this one from trunk, branch-2 and branch-2.8 and convert it to hadoop common. I will recommit it after the unit test fix for HADOOP-13748 is in.

> KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used
> -----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13749
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13749
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Xiaoyu Yao
>            Priority: Critical
>             Fix For: 2.8.0, 3.0.0-alpha2
>
>         Attachments: HADOOP-13749.00.patch, HDFS-10757.00.patch, HDFS-10757.01.patch, HDFS-10757.02.patch, HDFS-10757.03.patch
>
>
> ClientContext::get gets the context from CACHE via a config setting based name, then KeyProviderCache stored in ClientContext gets the key provider cached by URI from the configuration, too. These would return the same KeyProvider regardless of current UGI.
> KMSClientProvider caches the UGI (actualUgi) in ctor; that means in particular that all the users of DFS with KMSClientProvider in a process will get the KMS token (along with other credentials) of the first user, via the above cache.
> Either KMSClientProvider shouldn't store the UGI, or one of the caches should be UGI-aware, like the FS object cache.
> Side note: the comment in createConnection that purports to handle the different UGI doesn't seem to cover what it says it covers. In our case, we have two unrelated UGIs with no auth (createRemoteUser) with bunch of tokens, including a KMS token, added.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org