[jira] [Commented] (HADOOP-13206) Delegation token cannot be fetched and used by different versions of client

Wed, 20 Jul 2016 13:27:41 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15386562#comment-15386562
 ] 

Chris Nauroth commented on HADOOP-13206:
----------------------------------------

Hello [~zhz].  You might also be interested in HADOOP-12954 and MAPREDUCE-6565, 
which discuss a few more wrinkles with {{hadoop.security.token.service.use_ip}}.

I see a potential problem in the proposed patch.  The point of using IP address 
in the delegation token service was to prevent unnecessary repeated DNS 
lookups.  The proposed patch would result in re-introducing some of those 
lookups in the fallback case when the service doesn't match.  If we consider a 
scenario with a client holding delegation tokens for multiple clusters, such as 
a cross-cluster DistCp, then we definitely would re-resolve DNS lookups a few 
times.

I see you did some investigation into why the 2.3.0 client produce an IP 
address and later versions don't.  Do you think this is simply a bug in 2.3.0, 
which has been subsequently fixed (perhaps unintentionally)?  IOW, do you think 
it's appropriate to resolve this with no action, rather than commit a patch 
that introduces potential performance problems, only to work around buggy 
behavior in an older client version?

> Delegation token cannot be fetched and used by different versions of client
> ---------------------------------------------------------------------------
>
>                 Key: HADOOP-13206
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13206
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.3.0, 2.6.1
>            Reporter: Zhe Zhang
>            Assignee: Zhe Zhang
>         Attachments: HADOOP-13206.00.patch, HADOOP-13206.01.patch, 
> HADOOP-13206.02.patch
>
>
> We have observed that an HDFS delegation token fetched by a 2.3.0 client 
> cannot be used by a 2.6.1 client, and vice versa. Through some debugging I 
> found that it's a mismatch between the token's {{service}} and the 
> {{service}} of the filesystem (e.g. {{webhdfs://host.something.com:50070/}}). 
> One would be in numerical IP address and one would be in non-numerical 
> hostname format.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to