You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2016/06/24 03:55:16 UTC

[jira] [Comment Edited] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token

    [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347649#comment-15347649 ] 

Xiao Chen edited comment on HADOOP-13251 at 6/24/16 3:54 AM:
-------------------------------------------------------------

FYI - I created HADOOP-13316 for a security issue on the server-side with DT. Not really related to this jira though.


was (Author: xiaochen):
FYI - I created HADOOP-13316 for a security issue on the server side with DT.

> DelegationTokenAuthenticationHandler should detect actual renewer when renew token
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13251
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13251
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.innocent.patch
>
>
> Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation.
> In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org