You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2017/11/13 22:04:00 UTC

[jira] [Commented] (HADOOP-14104) Client should always ask namenode for kms provider path.

    [ https://issues.apache.org/jira/browse/HADOOP-14104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250323#comment-16250323 ] 

Xiao Chen commented on HADOOP-14104:
------------------------------------

Thanks Rushabh and all for the contribution here.

Just a note:
We have had a downstream application broken, due to the 'cache the nameservice to provider mapping into UGI credentials' logic:
- application operates with 2 clusters, which have the same NN nameservice.
- application loads to configuration objects with corresponding cluster, and creates 2 separate dfsclients.
- All these are done using the same UGI.

This worked for them before. 

Upon going into a version with HADOOP-14104, accessing one of the clusters would fail with 'key not found'. This is due to there is only 1 mapping from nameservice -> kms in the UGI credentials. So {{[DFSClient#getKeyProviderUri|https://github.com/apache/hadoop/blob/branch-3.0.0-beta1/hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSClient.java#L2991]}} always find the same KMS provider uri, for both clusters.

Having identical nameservices for multiple clusters is arguably a mis-configuration (and is how we moved over the issue at the time - luckily one of the cluster could be changed without too much trouble). But ideally this should work regardless. I don't have a great idea on how to fix this, but figured I'd at least share the problem statement.

> Client should always ask namenode for kms provider path.
> --------------------------------------------------------
>
>                 Key: HADOOP-14104
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14104
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>            Reporter: Rushabh S Shah
>            Assignee: Rushabh S Shah
>             Fix For: 2.9.0, 3.0.0-alpha4, 2.8.2
>
>         Attachments: HADOOP-14104-branch-2.8.patch, HADOOP-14104-branch-2.patch, HADOOP-14104-trunk-v1.patch, HADOOP-14104-trunk-v2.patch, HADOOP-14104-trunk-v3.patch, HADOOP-14104-trunk-v4.patch, HADOOP-14104-trunk-v5.patch, HADOOP-14104-trunk.patch
>
>
> According to current implementation of kms provider in client conf, there can only be one kms.
> In multi-cluster environment, if a client is reading encrypted data from multiple clusters it will only get kms token for local cluster.
> Not sure whether the target version is correct or not.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org