You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Xiao Chen (JIRA)" <ji...@apache.org> on 2018/01/25 05:08:00 UTC

[jira] [Comment Edited] (HADOOP-14445) Delegation tokens are not shared between KMS instances

    [ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16337925#comment-16337925 ] 

Xiao Chen edited comment on HADOOP-14445 at 1/25/18 5:07 AM:
-------------------------------------------------------------

Thanks for the work here Rushabh, latest patch looks really promising! Appreciate the thorough test coverage.

I also ran some more tests with this patch on a test cluster, and things look good. The binary upgrade is compatible, and the format switch is done with an additional config deployment. This is more or less inline with what [~daryn] suggested above I think.

Some comments in latest patch, mostly nits:
 * We need some sort of formal documentation on upgrading -> changing the config. Either in docs or a detailed release note would do.
 * KMSCP: Please rename the variables to be the common hadoop naming convention (xxx_KEY, xxx_DEFAULT)
 * The above config should be added to core-default.
 * KMSCP: typo, "then he value is read from" s/he value/the value/g
 * KMSCP: There are some extra line breaks after createKMSAuthenticatedURL.
 * KMSCP: {{containsKmsDt}}'s existing log isn't accurate. Suggest to move that to after the {{getTokenFromCredentials}} call, and log out what token it actually got.
 * TestLoadBalancingKMSClientProvider.java: I think we don't need to set the injector during @BeforeClass
 * TestKMS: some unused variables can be removed: line 2606 {{renewed}}, line 2653 {{kp1}}.

My 'key operations' comments meant to say we actually use the token to do something. You happen to add the same in the new tests. :) So overall I'm +1 pending the above.


was (Author: xiaochen):
Thanks for the work here Rushabh, latest patch looks really promising! Appreciate the thorough test coverage.

I will run some more tests with this patch on a test cluster, and will comment back.

Some comments in latest patch, mostly nits:
 * We need some sort of formal documentation on upgrading -> changing the config. Either in docs or a detailed release note would do.
 * KMSCP: Please move the new config to KMSConfiguration.java. Also rename the variables to be the common hadoop naming convention (xxx_KEY, xxx_DEFAULT)
 * KMSCP: typo, "then he value is read from" s/he value/the value/g
 * KMSCP: There are some extra line breaks after createKMSAuthenticatedURL.
 * KMSCP: {{containsKmsDt}}'s existing log isn't accurate. Suggest to move that to after the {{getTokenFromCredentials}} call, and log out what token it actually got.
 * TestLoadBalancingKMSClientProvider.java: I think we don't need to set the injector during @BeforeClass
 * TestKMS: some unused variables can be removed: line 2606 {{renewed}}, line 2653 {{kp1}}.

My 'key operations' comments meant to say we actually use the token to do something. You happen to add the same in the new tests. :)

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Rushabh S Shah
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch, HADOOP-14445.003.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share delegation tokens. (a client uses KMS address/port as the key for delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens too.
> Under HA, A KMS instance must verify the delegation token given by another KMS instance, by checking the shared secret used to sign the delegation token. To do this, all KMS instances must be able to retrieve the shared secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org