[
https://issues.apache.org/jira/browse/HADOOP-9747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16324755#comment-16324755
]
Daryn Sharp commented on HADOOP-9747:
-------------------------------------
As an update, extremely close, really planned to have a final patch much
earlier. I've stripped out all the "intelligence" that analyzed the ugi
because it's actually quasi-broken in the sense that it causes kerberos
instances to double up in the creds, and as mentioned before, didn't play nice
with ranger's (ab)use of the ugi. Thought that would be simple but ran into
issues with the "external ugi" hackery. Found graceful way to manage them.
Updating/writing more tests.
The last thing I'm doing is solving the getLoginUser race. I thought the
unlikely race was "ok", but the dubious means of spawning renewals can be a
problem. We can't go back to a purely synchronized design because the NN's rpc
handlers pile up getting the login user to fetch an EDEK which is the primary
motivation for me atm.
> Reduce unnecessary UGI synchronization
> --------------------------------------
>
> Key: HADOOP-9747
> URL: https://issues.apache.org/jira/browse/HADOOP-9747
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0-alpha1
> Reporter: Daryn Sharp
> Assignee: Daryn Sharp
> Priority: Critical
> Attachments: HADOOP-9747-trunk.01.patch, HADOOP-9747-trunk.02.patch,
> HADOOP-9747.2.branch-2.patch, HADOOP-9747.2.trunk.patch,
> HADOOP-9747.branch-2.patch, HADOOP-9747.trunk.patch
>
>
> Jstacks of heavily loaded NNs show up to dozens of threads blocking in the
> UGI.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
