[jira] [Commented] (HADOOP-14445) Delegation tokens are not shared between KMS instances

[Xiao Chen (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581894#comment-16581894
 ] 

Xiao Chen commented on HADOOP-14445:
------------------------------------

Thanks all for reviewing this. Look forward to Daryn's active reviews, will 
address comments together..

Clarifications on the questions:
{quote}If the order of the kms instances change between renew for the long 
running process? Will the token selector still be able to find the matching 
token (AbstractDelegationTokenSelector#selectToken()) to renew? Should we 
define a logical kms uri to represent KMS HA instances to avoid this?
{quote}
Good question. You're right that when the url changes, the selection wouldn't 
work. My collection from the earlier discussion was that this was deemed an 
acceptable behavior. See discussions above, until [this 
comment|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16033492&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16033492].

{quote}
L347 in DelegationTokenAuthenticatedURL#selectDelegationToken will return a 
service in ip:port or host:port format (not uri). So creds.getToken(service) in 
next line may not return the HA KMS DT as service name will be in URI format. 
{quote}
The goal of this jira is to add this new format, while maintaining backwards 
compatibility. This means if the new software runs with old software (when the 
config {{hadoop.security.kms.client.token.use.uri.format}} isn't changed), it 
would behave the same. Hence the 
{{DelegationTokenAuthenticatedURL#selectDelegationToken}} is simply a code 
refactor.

The reason for that refactor is that, we can override this behavior in KMSCP 
and work our way for the new format. The reason it falls back to DTAURL to 
select token is for compat.

> Delegation tokens are not shared between KMS instances
> ------------------------------------------------------
>
>                 Key: HADOOP-14445
>                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0, 3.0.0-alpha1
>         Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption
>            Reporter: Wei-Chiu Chuang
>            Assignee: Xiao Chen
>            Priority: Major
>         Attachments: HADOOP-14445-branch-2.8.002.patch, 
> HADOOP-14445-branch-2.8.patch, HADOOP-14445.002.patch, 
> HADOOP-14445.003.patch, HADOOP-14445.004.patch, HADOOP-14445.05.patch, 
> HADOOP-14445.06.patch, HADOOP-14445.07.patch, HADOOP-14445.08.patch, 
> HADOOP-14445.09.patch, HADOOP-14445.10.patch, HADOOP-14445.11.patch, 
> HADOOP-14445.12.patch, HADOOP-14445.13.patch, HADOOP-14445.14.patch, 
> HADOOP-14445.15.patch, HADOOP-14445.16.patch, 
> HADOOP-14445.branch-2.000.precommit.patch, 
> HADOOP-14445.branch-2.001.precommit.patch, HADOOP-14445.branch-2.01.patch, 
> HADOOP-14445.branch-2.02.patch, HADOOP-14445.branch-2.03.patch, 
> HADOOP-14445.branch-2.04.patch, HADOOP-14445.branch-2.05.patch, 
> HADOOP-14445.branch-2.06.patch, HADOOP-14445.branch-2.8.003.patch, 
> HADOOP-14445.branch-2.8.004.patch, HADOOP-14445.branch-2.8.005.patch, 
> HADOOP-14445.branch-2.8.006.patch, HADOOP-14445.branch-2.8.revert.patch, 
> HADOOP-14445.revert.patch
>
>
> As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do 
> not share delegation tokens. (a client uses KMS address/port as the key for 
> delegation token)
> {code:title=DelegationTokenAuthenticatedURL#openConnection}
> if (!creds.getAllTokens().isEmpty()) {
>         InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
>             url.getPort());
>         Text service = SecurityUtil.buildTokenService(serviceAddr);
>         dToken = creds.getToken(service);
> {code}
> But KMS doc states:
> {quote}
> Delegation Tokens
> Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation 
> tokens too.
> Under HA, A KMS instance must verify the delegation token given by another 
> KMS instance, by checking the shared secret used to sign the delegation 
> token. To do this, all KMS instances must be able to retrieve the shared 
> secret from ZooKeeper.
> {quote}
> We should either update the KMS documentation, or fix this code to share 
> delegation tokens.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org