[jira] [Commented] (HADOOP-13206) Delegation token cannot be fetched and used by different versions of client

Wed, 01 Jun 2016 22:57:08 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15311795#comment-15311795
 ] 

Zhe Zhang commented on HADOOP-13206:
------------------------------------

Jenkins failure is unrelated to the change and passes locally.

I took another look at the error I was getting. A possible reason is that the 
clients use different {{hadoop.security.token.service.use_ip}} config values.

Basically, this {{selectToken}} method goes over the {{tokens}} list and find 
the first matching token. There are only two matching criteria: the {{token}} 
has the right {{kind}} (e.g. is HDFS delegation token instead of YARN), and the 
{{service}} text matches with the give {{service}} parameter.

So any {{Text}} can be used as the input parameter. A token could also have 
{{service}} field as arbitrary {{Text}}.This JIRA only aims at improving the 
matching logic for the two {{service}} strings such that an IP address matches 
with a {{host:port}} string pointing to the same node. If the given {{service}} 
or the {{service}} in the {{token}} are in other formats and don't 
string-match, we should just pass over that {{token}} instead of throwing an 
exception or printing a WARN.

> Delegation token cannot be fetched and used by different versions of client
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-13206
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13206
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0, 2.6.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>         Attachments: HADOOP-13206.00.patch, HADOOP-13206.01.patch, 
> HADOOP-13206.02.patch
>
>
> We have observed that an HDFS delegation token fetched by a 2.3.0 client 
> cannot be used by a 2.6.1 client, and vice versa. Through some debugging I 
> found that it's a mismatch between the token's {{service}} and the 
> {{service}} of the filesystem (e.g. {{webhdfs://host.something.com:50070/}}). 
> One would be in numerical IP address and one would be in non-numerical 
> hostname format.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to