[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16426501#comment-16426501
]
Xiao Chen commented on HADOOP-14445:
------------------------------------
Thanks again for the reviews Rushabh and Wei-Chiu.
Testing this in real clusters revealed some issues in the patch.
[^HADOOP-14445.12.patch] addressed them. Namely:
- {{KMSCP#addDelegationTokens}} should only setService on KMS_D_T tokens, so if
there is an old server returning kms-dt, it would still work
- {{KMSCP#selectKMSDelegationToken}} the fall back logic should use existing
logic to {{getToken}} by service, instead of using a selector. This way we can
be sure new client works with old submitter + new server. Added a detailed
comment there.
- Also added a 'real' unit test {{TestKMSClientProvider}} to test these
explicitly, as a cover up of the existing TestKMS cases.
I have tested the latest patch via wordcount (in an env with 3 NM, 2 KMS. RM
host does not have either NM or KMS, and was used as job submitter):
- upgrade 1 NM
- upgrade 1 KMS
- upgrade both KMS
- upgrade all NM
- upgrade RM
Job ran at each step, verified from debug level yarn app logs that
authentication was successful using tokens.
In the end, deployed the new config=false everywhere and verified things still
work.
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
> Reporter: Wei-Chiu Chuang
> Assignee: Xiao Chen
> Priority: Major
> Attachments: HADOOP-14445-branch-2.8.002.patch,
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch,
> HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
> HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch,
> HADOOP-14445.09.patch, HADOOP-14445.10.patch, HADOOP-14445.11.patch,
> HADOOP-14445.12.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
