[
https://issues.apache.org/jira/browse/HADOOP-16199?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16803459#comment-16803459
]
Xiaoyu Yao commented on HADOOP-16199:
-------------------------------------
{quote}The added test is almost the same as
testTokenServiceCreationWithUriFormat, added in HADOOP-15997, except that it
configured key provider explicitly.
{quote}
Yes. That's a valid client configuration where client just downloaded the
configuration from the same configuration used by Ambari/CM managed cluster,
where hadoop.security.key.provider.path=kms://http@kms1;kms2:9600/kms
{quote}bq. After HADOOP-14445, if configuring KMS provide path explicitly for
client, the expected behavior is: the client gets a kms dt whose credential
alias is one of (randomly selected) KMS URI.
{quote}
The following code in LoadBalanceKMSCLientProvider#getDelegationToken was added
by HADOOP-14445 to set the token service field to the the KMS URI so that it
can be used across all instances. Check the KMSUtil#createKeyProvider and
HdfsKMSUtil.createKeyProvider the uri configured above will be the one set into
the token service field by LoadBalanceKMSCLientProvider.
{code}
public Token<?> getDelegationToken(String renewer) throws IOException {
return doOp(new ProviderCallable<Token<?>>() {
@Override
public Token<?> call(KMSClientProvider provider) throws IOException {
Token<?> token = provider.getDelegationToken(renewer);
// override sub-providers service with our own so it can be used
// across all providers.
token.setService(dtService);
LOG.debug("New token service set. Token: ({})", token);
return token;
}
{code}
> KMSLoadBlanceClientProvider does not select token correctly
> -----------------------------------------------------------
>
> Key: HADOOP-16199
> URL: https://issues.apache.org/jira/browse/HADOOP-16199
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 3.0.2
> Reporter: Xiaoyu Yao
> Assignee: Xiaoyu Yao
> Priority: Major
> Labels: kms
>
> After HADOOP-14445 and HADOOP-15997, there are still cases where
> KMSLoadBlanceClientProvider does not select token correctly.
> Here is the use case:
> The new configuration key
> hadoop.security.kms.client.token.use.uri.format=true is set cross all the
> cluster, including both Submitter and Yarn RM(renewer), which is not covered
> in the test matrix in this [HADOOP-14445
> comment|https://issues.apache.org/jira/browse/HADOOP-14445?focusedCommentId=16505761&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16505761].
> I will post the debug log and the proposed fix shortly, cc: [~xiaochen] and
> [~jojochuang].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
