[jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances

[Rushabh S Shah (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16029826#comment-16029826
 ] 

Rushabh S Shah commented on HADOOP-14445:
-----------------------------------------

bq. For clients which are running without the fix, the behavior will be the 
same as before;

{code:title=KMSClientProvider.java|borderStyle=solid}
 public DelegationTokenAuthenticatedURL createKMSAuthenticatedURL() {
    return  new DelegationTokenAuthenticatedURL(configurator) {
      @Override
      public Text getDelegationTokenService(URL url) {
        return clientProvidedUriText;
      }
    };
  }
{code}
For example if a job was submitted with a token having tokenService in the 
format {{ip:port}}.
The newer client having the fix will fail to read the token with tokenService 
as {{full kms url}} even if the job client has acquired the token and the token 
is good to authenticate.
Does it make sense ?

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: documentation, kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>            Reporter: Wei-Chiu Chuang
>            Assignee: Rushabh S Shah
>         Attachments: HADOOP-14445-branch-2.8.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do 
> not share delegation tokens. (a client uses KMS address/port as the key for 
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation 
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another 
> KMS instance, by checking the shared secret used to sign the delegation 
> token. To do this, all KMS instances must be able to retrieve the shared 
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share 
> delegation tokens.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org