Hankó Gergely created HADOOP-16819:
--------------------------------------
Summary: Possible inconsistent state of
AbstractDelegationTokenSecretManager
Key: HADOOP-16819
URL: https://issues.apache.org/jira/browse/HADOOP-16819
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Hankó Gergely
[AbstractDelegationTokenSecretManager.updateCurrentKey|[https://github.com/apache/hadoop/blob/581072a8f04f7568d3560f105fd1988d3acc9e54/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java#L360]]
increments the current key id and creates the new delegation key in two
distinct synchronized blocks.
This means that other threads can see the class in an *inconsistent state,
where the key for the current key id doesn't exist (yet)*.
For example the following method sometimes returns null when the token remover
thread is between the two synchronized blocks:
{noformat}
@Override
public DelegationKey getCurrentKey() {
return getDelegationKey(getCurrentKeyId());
}{noformat}
Also it is possible that updateCurrentKey is called from multiple threads at
the same time so *distinct keys can be generated with the same key id*.
This issue is suspected to be the cause of the intermittent failure of
[TestLlapSignerImpl.testSigning|[https://github.com/apache/hive/blob/3c0705eaf5121c7b61f2dbe9db9545c3926f26f1/llap-server/src/test/org/apache/hadoop/hive/llap/security/TestLlapSignerImpl.java#L195]]
- HIVE-22621.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
