[
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Xiao Chen updated HADOOP-14445:
-------------------------------
Release Note:
<!-- markdown -->
+ Whether the KMS client provider should use uri format as delegation tokens'
+ service field. Historically KMS tokens have ip:port as service, making
+ KMS clients only able to use the token to authenticate with 1 KMS server,
+ even though the token is shared among all KMS servers at server-side.
+ With the tokens service in uri format, the clients can use it to
+ authenticate with all KMS servers.
+ Note that this should only be set to true if ALL clients are running
+ software that contains HADOOP-14445. Clients running on software without
+ HADOOP-14445 will fail to authenticate if the token is in uri format.
A new configuration, `hadoop.security.kms.client.token.use.uri.format`, is
introduced in the KMS clients to control the service field of the delegation
tokens fetched from the KMS. Historically KMS delegation tokens have ip:port as
service, making KMS clients only able to use the token to authenticate with 1
KMS server, even though the token is shared among all KMS servers at
server-side. The default value of this configuration is false, to be compatible
with existing behavior.
When the configuration is set to true, KMS delegation token will use uri as its
service. This way, the clients can use it to authenticate with all KMS servers.
Note that this should only be set to true if ALL clients and renewers are
running software that contains HADOOP-14445. Clients running on software
without HADOOP-14445 will fail to authenticate if the token is in uri format.
was:
<!-- markdown -->
A new token kind, `KMS_DELEGATION_TOKEN`, is introduced for the delegation
tokens issued by the KMS. This new token kind uses the full KMS URI as its
service field, hence able to be aware of all the KMS servers that it is valid
for. Legacy token kind, `kms-dt`, is deprecated.
Legacy token can still be used for authentication / renewal for backward
compatibility.
By default, new KMS clients who get a `KMS_DELEGATION_TOKEN` will create an
identical token of the legacy `kms-dt` kind, to support the hybrid of new
clients and legacy clients during authentication. This behavior can be turned
off by setting `hadoop.security.kms.client.copy.legacy.token` to false. It is
recommended to turn this behavior off only after all of the following are
upgraded to the new version: all KMS Servers, all KMS Clients, all KMS token
renewers.
> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
> Key: HADOOP-14445
> URL: https://issues.apache.org/jira/browse/HADOOP-14445
> Project: Hadoop Common
> Issue Type: Bug
> Components: kms
> Affects Versions: 2.8.0, 3.0.0-alpha1
> Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
> Reporter: Wei-Chiu Chuang
> Assignee: Xiao Chen
> Priority: Major
> Attachments: HADOOP-14445-branch-2.8.002.patch,
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch,
> HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch,
> HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch,
> HADOOP-14445.09.patch, HADOOP-14445.10.patch, HADOOP-14445.11.patch,
> HADOOP-14445.12.patch, HADOOP-14445.13.patch, HADOOP-14445.14.patch,
> HADOOP-14445.branch-2.000.precommit.patch,
> HADOOP-14445.branch-2.001.precommit.patch, HADOOP-14445.branch-2.01.patch,
> HADOOP-14445.branch-2.02.patch, HADOOP-14445.branch-2.03.patch,
> HADOOP-14445.branch-2.04.patch, HADOOP-14445.branch-2.05.patch,
> HADOOP-14445.branch-2.06.patch, HADOOP-14445.branch-2.8.003.patch,
> HADOOP-14445.branch-2.8.004.patch, HADOOP-14445.branch-2.8.005.patch,
> HADOOP-14445.branch-2.8.006.patch, HADOOP-14445.branch-2.8.revert.patch,
> HADOOP-14445.revert.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do
> not share delegation tokens. (a client uses KMS address/port as the key for
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
> InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
> url.getPort());
> Text service = SecurityUtil.buildTokenService(serviceAddr);
> dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another
> KMS instance, by checking the shared secret used to sign the delegation
> token. To do this, all KMS instances must be able to retrieve the shared
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share
> delegation tokens.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
