[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16337925#comment-16337925
]
Xiao Chen edited comment on HADOOP-14445 at 1/25/18 5:07 AM:
-------------------------------------------------------------
Thanks for the work here Rushabh, latest patch looks really promising!
Appreciate the thorough test coverage.
I also ran some more tests with this patch on a test cluster, and things look
good. The binary upgrade is compatible, and the format switch is done with an
additional config deployment. This is more or less inline with what [~daryn]
suggested above I think.
Some comments in latest patch, mostly nits:
* We need some sort of formal documentation on upgrading -> changing the
config. Either in docs or a detailed release note would do.
* KMSCP: Please rename the variables to be the common hadoop naming convention
(xxx_KEY, xxx_DEFAULT)
* The above config should be added to core-default.
* KMSCP: typo, "then he value is read from" s/he value/the value/g
* KMSCP: There are some extra line breaks after createKMSAuthenticatedURL.
* KMSCP: {{containsKmsDt}}'s existing log isn't accurate. Suggest to move that
to after the {{getTokenFromCredentials}} call, and log out what token it
actually got.
* TestLoadBalancingKMSClientProvider.java: I think we don't need to set the
injector during @BeforeClass
* TestKMS: some unused variables can be removed: line 2606 {{renewed}}, line
2653 {{kp1}}.
My 'key operations' comments meant to say we actually use the token to do
something. You happen to add the same in the new tests. :) So overall I'm +1
pending the above.
was (Author: xiaochen):
Thanks for the work here Rushabh, latest patch looks really promising!
Appreciate the thorough test coverage.
I will run some more tests with this patch on a test cluster, and will comment
back.
Some comments in latest patch, mostly nits:
* We need some sort of formal documentation on upgrading -> changing the
config. Either in docs or a detailed release note would do.
* KMSCP: Please move the new config to KMSConfiguration.java. Also rename the
variables to be the common hadoop naming convention (xxx_KEY, xxx_DEFAULT)
* KMSCP: typo, "then he value is read from" s/he value/the value/g
* KMSCP: There are some extra line breaks after createKMSAuthenticatedURL.
* KMSCP: {{containsKmsDt}}'s existing log isn't accurate. Suggest to move that
to after the {{getTokenFromCredentials}} call, and log out what token it
actually got.
* TestLoadBalancingKMSClientProvider.java: I think we don't need to set the
injector during @BeforeClass
* TestKMS: some unused variables can be removed: line 2606 {{renewed}}, line
2653 {{kp1}}.
My 'key operations' comments meant to say we actually use the token to do
something. You happen to add the same in the new tests. :)
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
> Reporter: Wei-Chiu Chuang
> Assignee: Rushabh S Shah
> Priority: Major
> Attachments: HADOOP-14445-branch-2.8.002.patch,
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch, HADOOP-14445.003.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
