[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16415651#comment-16415651
]
Rushabh S Shah edited comment on HADOOP-14445 at 3/27/18 2:06 PM:
------------------------------------------------------------------
{quote}
2. providersCreated: Should this be a list or just KeyProvider ?
bq. I disagree because even in tests we should code against interface.
{quote}
I think I was not clear earlier.
What I meant was should it be a list of KeyProvider {{List<KeyProvider>}} or
just single element {{KeyProvider}} ?
I agree with you completely that we should code against interface. Thats why I
feel it should be just a {{KeyProvider}}.
{noformat}
KeyProvider keyProvider = KeyProviderFactory.get(providerUri, conf);
{noformat}
But I think its late now since the other jira is already committed.
bq. testTokenCompatibilityOldRenewer
Your comment does makes sense.
If we can test that new RM is able to renew both tokens (which is already
present in your test suite in last patch) and the identifier bits are the same
in both tokens then we can remove this test case.
Hope it makes sense.
was (Author: shahrs87):
{quote}
2. providersCreated: Should this be a list or just KeyProvider ?
bq. I disagree because even in tests we should code against interface.
{quote}
I think I was not clear earlier.
What I meant was should it be a list of KeyProvider {{List<KeyProvider>}} or
just single element {{KeyProvider}} ?
I agree with you completely that we should code against interface. Thats why I
feel it should be just a {{KeyProvider}}.
{noformat}
KeyProvider keyProvider = KeyProviderFactory.get(providerUri, conf);
{noformat}
bq. testTokenCompatibilityOldRenewer
Your comment does makes sense.
If we can test that new RM is able to renew both tokens (which is already
present in your test suite in last patch) and the identifier bits are the same
in both tokens then we can remove this test case.
Hope it makes sense.
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
> Reporter: Wei-Chiu Chuang
> Assignee: Xiao Chen
> Priority: Major
> Attachments: HADOOP-14445-branch-2.8.002.patch,
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch,
> HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
> HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch,
> HADOOP-14445.09.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
