[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344105#comment-16344105
]
Xiao Chen commented on HADOOP-14445:
------------------------------------
Thanks [~daryn] for circling back with the new idea. Mixed feeling (and head
scratching)! :)
I think a new and standardized token kind should work, and conveniently
eliminate the need for changing client configs, so SGTM. We may also check in
the RM, when its {{DelegationTokenRenewer}} received a set of tokens, and there
are both kms-dt and KMS_D_T with the same sequence number, only renew the
KMS_D_T.
For that to work, we'd need a new {{KMSDelegationTokenIdentifier}} class and a
new {{DelegationTokenAuthenticationHandler}} too.
Curious: with the current approach (patch 3) we need just an additional config
deployment after the upgrade, right? What changed your mind from
[earlier|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16279134&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16279134]
(assuming the implementation comments are addressed) ?
I'd rather prefer not to sacrifice old RM + new client. True for RU should
still work, but there is still support burden for a new client connecting to an
existing cluster. Token issues are not the easiest to figure out, and IMO we
should avoid this case when we can.
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
> Reporter: Wei-Chiu Chuang
> Assignee: Rushabh S Shah
> Priority: Major
> Attachments: HADOOP-14445-branch-2.8.002.patch,
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch, HADOOP-14445.003.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
