[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16397559#comment-16397559
]
Wei-Chiu Chuang commented on HADOOP-14445:
------------------------------------------
Half way through the patch ...
# The handling of old/new KMS DT needs a little refactor.
(KMSClientProvider#getKMSToken(), KMSClientProvider#addDelegationTokens()) One
year from now I won't be able to remember why we did these tricks. I'll be
easier to maintain in the future as well.
# Having a configuration hadoop.security.kms.client.copy.legacy.token to flip
the switch is fine. It'll need a better documentation, in the release note for
example. I looked at the description in core-default.xml and honestly I
wouldn't understand the caveats. It'll be hard to debug RM scalability problems
with this key is on, and I doubt people will understand that once this is
turned off, old clients will not be supported any more.
# There will be cases where clients are on different versions. There will be
cases where a client accesses multiple clusters (distcp). There will be cases
where an application relies on multiple versions of Hadoop libs. It's going to
difficult to control client version.
# Would it make sense to mark KMSDelegationToken deprecated?
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
> Reporter: Wei-Chiu Chuang
> Assignee: Xiao Chen
> Priority: Major
> Attachments: HADOOP-14445-branch-2.8.002.patch,
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch,
> HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
> HADOOP-14445.06.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
