[jira] [Commented] (HADOOP-16972) Ignore AuthenticationFilterInitializer for KMSWebServer

[Eric Yang (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-16972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17086064#comment-17086064
 ] 

Eric Yang commented on HADOOP-16972:
------------------------------------

[~iwasakims] Thank you for the pointer that kms-dt is a different type from 
hdfs-dt.  Your patch is right way to address this problem in the short term.

It is not a good idea to make separate token issuer a common practice unless 
there are good reasons.  Synchronization of session becomes a problem when 
token expiration unsynchronized due to API calls at different time.  HttpFS is 
working in the absence of contacting namenode.  Hence, it is kind of ok to 
allow HttpFS manages a separate token set for a specific use case.

In theory, KMS security does not benefit from having separated token kind.  
This implementation is more for performance reason to reduce round trip with 
namenode for user credential validation.  However, there are more disadvantages 
in doing so, like unsynchronized session, and additional logic/payload to 
populate different token types to the right place.  Since Hadoop community has 
already done some of the hard work to solve the problems superficially.  This 
patch is good stop gap solution, and I would prefer to fix KMS to use global 
AuthenticationFilter to avoid session problems, and reduce config logistics.  
These changes are beyond my participation in KMS code or scope of this issue.

+1 for fixing this in 3.3.0 to prevent regression.

> Ignore AuthenticationFilterInitializer for KMSWebServer
> -------------------------------------------------------
>
>                 Key: HADOOP-16972
>                 URL: https://issues.apache.org/jira/browse/HADOOP-16972
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: kms
>    Affects Versions: 3.3.0
>            Reporter: Masatake Iwasaki
>            Assignee: Masatake Iwasaki
>            Priority: Major
>
> KMS does not work if hadoop.http.filter.initializers is set to 
> AuthenticationFilterInitializer since KMS uses its own authentication filter. 
> This is problematic when KMS is on the same node with other Hadoop services 
> and shares core-site.xml with them. The filter initializers configuration 
> should be tweaked as done for httpfs in HDFS-14845.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org