Wei-Chiu Chuang created HADOOP-14441:
----------------------------------------
Summary: LoadBalancingKMSClientProvider#addDelegationTokens should
add delegation tokens from all KMS instances
Key: HADOOP-14441
URL: https://issues.apache.org/jira/browse/HADOOP-14441
Project: Hadoop Common
Issue Type: Bug
Components: kms
Affects Versions: 2.7.0
Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
Reporter: Wei-Chiu Chuang
Assignee: Wei-Chiu Chuang
LoadBalancingKMSClientProvider only gets delegation token from one KMS
instance, in a round-robin fashion. This is arguably a bug, as JavaDoc for
{{KeyProviderDelegationTokenExtension#addDelegationTokens}} states:
{quote}
/**
* The implementer of this class will take a renewer and add all
* delegation tokens associated with the renewer to the
* <code>Credentials</code> object if it is not already present,
...
**/
{quote}
This bug doesn't pop up very often, because HDFS clients such as MapReduce
unintentionally calls {{FileSystem#addDelegationTokens}} multiple times.
We have a custom client that accesses HDFS/KMS-HA using delegation token, and
we were puzzled why it always throws "Failed to find any Kerberos tgt"
exceptions talking to one KMS but not the other. Turns out that client couldn't
talk to the KMS because {{FileSystem#addDelegationTokens}} only gets one KMS
delegation token at a time.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
