[jira] [Commented] (HADOOP-16199) KMSLoadBlanceClientProvider does not select token correctly

Tue, 26 Mar 2019 14:21:47 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-16199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16802189#comment-16802189
 ] 

Wei-Chiu Chuang commented on HADOOP-16199:
------------------------------------------

The added test is almost the same as testTokenServiceCreationWithUriFormat, 
added in HADOOP-15997, except that it configured key provider explicitly.
{code:java}
String providerUriString = "kms://http@host1;host2;host3:9600/kms/foo";
conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_KEY_PROVIDER_PATH,
                        providerUriString);
{code}
After HADOOP-14445, if configuring KMS provide path explicitly for client, the 
expected behavior is: the client gets a kms dt whose credential alias is one of 
(randomly selected) KMS URI.

After HADOOP-14445, and if client gets KMS URI in FsServerDefaults from 
NameNode, it gets a delegation token whose credential alias is the concatenated 
string of KMS URIs.

Looking at the application log, my question is: why does the client have a KMS 
dt in the newer form rather than the old form ("host1:9600")? Is it expected?

> KMSLoadBlanceClientProvider does not select token correctly
> -----------------------------------------------------------
>
>                 Key: HADOOP-16199
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16199
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 3.0.2
>            Reporter: Xiaoyu Yao
>            Assignee: Xiaoyu Yao
>            Priority: Major
>              Labels: kms
>
> After HADOOP-14445 and HADOOP-15997, there are still cases where 
> KMSLoadBlanceClientProvider does not select token correctly. 
> Here is the use case:
> The new configuration key 
> hadoop.security.kms.client.token.use.uri.format=true is set cross all the 
> cluster, including both Submitter and Yarn RM(renewer), which is not covered 
> in the test matrix in this [HADOOP-14445 
> comment|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16505761&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16505761].
> I will post the debug log and the proposed fix shortly, cc: [~xiaochen] and 
> [~jojochuang].



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to