You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2016/08/12 06:11:20 UTC

[jira] [Commented] (HADOOP-13487) Hadoop KMS doesn't clean up old delegation tokens stored in Zookeeper

    [ https://issues.apache.org/jira/browse/HADOOP-13487?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15418406#comment-15418406 ] 

Xiao Chen commented on HADOOP-13487:
------------------------------------

Thanks for reporting this, [~Aguinore].

Just to clarify, the tokens will only be cleaned up after they reach max lifetime (7 days by default).

If you're sure the tokens in zookeeper is expired, a workaround would be to remove them manually. But before that, would you mind capture a snapshot of zoookeeper's znodes here, for investigation?

> Hadoop KMS doesn't clean up old delegation tokens stored in Zookeeper
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-13487
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13487
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.6.0
>            Reporter: Alex Ivanov
>
> Configuration:
> CDH 5.5.1 (Hadoop 2.6+)
> KMS configured to store delegation tokens in Zookeeper
> DEBUG logging enabled in /etc/hadoop-kms/conf/kms-log4j.properties
> Findings:
> It seems to me delegation tokens never get cleaned up from Zookeeper past their renewal date. I can see in the logs that the removal thread is started with the expected interval:
> {code}
> 2016-08-11 08:15:24,511 INFO  AbstractDelegationTokenSecretManager - Starting expired delegation token remover thread, tokenRemoverScanInterval=60 min(s)
> {code}
> However, I don't see any delegation token removals, indicated by the following log message:
> org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager --> removeStoredToken(TokenIdent ident), line 769 [CDH]
> {code}
>     if (LOG.isDebugEnabled()) {
>       LOG.debug("Removing ZKDTSMDelegationToken_"
>           + ident.getSequenceNumber());
>     }
> {code}
> Meanwhile, I see a lot of expired delegation tokens in Zookeeper that don't get cleaned up.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org