You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Xiaoyu Yao (JIRA)" <ji...@apache.org> on 2016/01/21 22:55:40 UTC

[jira] [Updated] (HADOOP-12659) Incorrect usage of config parameters in token manager of KMS

     [ https://issues.apache.org/jira/browse/HADOOP-12659?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xiaoyu Yao updated HADOOP-12659:
--------------------------------
       Resolution: Fixed
     Hadoop Flags: Reviewed
    Fix Version/s: 2.8.0
           Status: Resolved  (was: Patch Available)

Thanks [~liuml07] for the contribution and all for the reviews. I've committed the patch to trunk, branch-2 and branch-2.8.

> Incorrect usage of config parameters in token manager of KMS
> ------------------------------------------------------------
>
>                 Key: HADOOP-12659
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12659
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.7.1, 2.6.2
>            Reporter: Tianyin Xu
>            Assignee: Mingliang Liu
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-12659.000.patch
>
>
> Hi, the usage of the following configs of Key Management Server (KMS) are problematic: 
> {{hadoop.kms.authentication.delegation-token.renew-interval.sec}}
> {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}}
> The name indicates that the units are {{sec}}, and the online doc shows that the default values are {{86400}} and {{3600}}, respectively.
> https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
> which is also defined in
> {code:title=DelegationTokenManager.java|borderStyle=solid}
>  55   public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec";
>  56   public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60;
>  ...
>  58   public static final String REMOVAL_SCAN_INTERVAL = PREFIX +
>  59       "removal-scan-interval.sec";
>  60   public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60;
> {code}
> However, in {{DelegationTokenManager.java}} and {{ZKDelegationTokenSecretManager.java}}, these two parameters are used incorrectly.
> 1. *{{DelegationTokenManager.java}}*
> {code}
>  70           conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000,
>  71           conf.getLong(REMOVAL_SCAN_INTERVAL, 
>  72               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
> {code}
> Apparently, at Line 72, {{REMOVAL_SCAN_INTERVAL}} should be used in the same way as {{RENEW_INTERVAL}}, like
> {code}
> 72c72
> <               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
> ---
> >               REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
> {code}
> Currently, the unit of {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} is not {{sec}} but {{millisec}}.
> 2. *{{ZKDelegationTokenSecretManager.java}}*
> {code}
> 142         conf.getLong(DelegationTokenManager.RENEW_INTERVAL,
> 143             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
> 144         conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL,
> 145             DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
> {code}
>  The situation is the opposite in this class that {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} is wrong but the other is correct...
> A patch should be like
> {code}
> 143c143
> <             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
> ---
> >             DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000,
> {code}
> Thanks!



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)