Wei-Chiu Chuang created HADOOP-14445:
----------------------------------------
Summary: Delegation tokens are not shared between KMS instances
Key: HADOOP-14445
URL: https://issues.apache.org/jira/browse/HADOOP-14445
Project: Hadoop Common
Issue Type: Bug
Components: documentation, kms
Affects Versions: 3.0.0-alpha1, 2.8.0
Reporter: Wei-Chiu Chuang
As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
not share delegation tokens. (a client use KMS address/port as the key for
delegation token)
{code:title=DelegationTokenAuthenticatedURL#openConnection}
if (!creds.getAllTokens().isEmpty()) {
InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
url.getPort());
Text service = SecurityUtil.buildTokenService(serviceAddr);
dToken = creds.getToken(service);
{code}
But KMS doc states:
{quote}
Delegation Tokens
Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
tokens too.
Under HA, A KMS instance must verify the delegation token given by another KMS
instance, by checking the shared secret used to sign the delegation token. To
do this, all KMS instances must be able to retrieve the shared secret from
ZooKeeper.
{quote}
We should either update the KMS documentation, or fix this code to share
delegation tokens.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
