[
https://issues.apache.org/jira/browse/HADOOP-16819?focusedWorklogId=567125&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-567125
]
ASF GitHub Bot logged work on HADOOP-16819:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 16/Mar/21 17:30
Start Date: 16/Mar/21 17:30
Worklog Time Spent: 10m
Work Description: ghanko commented on a change in pull request #1894:
URL: https://github.com/apache/hadoop/pull/1894#discussion_r595392501
##########
File path:
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java
##########
@@ -356,16 +356,14 @@ private void updateCurrentKey() throws IOException {
int newCurrentId;
synchronized (this) {
newCurrentId = incrementCurrentKeyId();
- }
- DelegationKey newKey = new DelegationKey(newCurrentId, System
- .currentTimeMillis()
- + keyUpdateInterval + tokenMaxLifetime, generateSecret());
- //Log must be invoked outside the lock on 'this'
- logUpdateMasterKey(newKey);
- synchronized (this) {
- currentKey = newKey;
+ currentKey = new DelegationKey(newCurrentId, System
+ .currentTimeMillis()
+ + keyUpdateInterval + tokenMaxLifetime, generateSecret());
+
storeDelegationKey(currentKey);
}
+ //Log must be invoked outside the lock on 'this'
+ logUpdateMasterKey(currentKey);
Review comment:
Yes, but I'm not sure why it was placed between them. They have to be in
the same synchronized block to be atomic, otherwise other threads may find that
there's no key for the current id.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 567125)
Time Spent: 0.5h (was: 20m)
> Possible inconsistent state of AbstractDelegationTokenSecretManager
> -------------------------------------------------------------------
>
> Key: HADOOP-16819
> URL: https://issues.apache.org/jira/browse/HADOOP-16819
> Project: Hadoop Common
> Issue Type: Sub-task
> Components: fs/s3, security
> Affects Versions: 3.3.0
> Reporter: Hankó Gergely
> Assignee: Hankó Gergely
> Priority: Major
> Labels: pull-request-available
> Attachments: HADOOP-16819.001.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> [AbstractDelegationTokenSecretManager.updateCurrentKey|https://github.com/apache/hadoop/blob/581072a8f04f7568d3560f105fd1988d3acc9e54/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java#L360]
> increments the current key id and creates the new delegation key in two
> distinct synchronized blocks.
> This means that other threads can see the class in an *inconsistent state,
> where the key for the current key id doesn't exist (yet)*.
> For example the following method sometimes returns null when the token
> remover thread is between the two synchronized blocks:
> {noformat}
> @Override
> public DelegationKey getCurrentKey() {
> return getDelegationKey(getCurrentKeyId());
> }{noformat}
>
> Also it is possible that updateCurrentKey is called from multiple threads at
> the same time so *distinct keys can be generated with the same key id*.
>
> This issue is suspected to be the cause of the intermittent failure of
> [TestLlapSignerImpl.testSigning|https://github.com/apache/hive/blob/3c0705eaf5121c7b61f2dbe9db9545c3926f26f1/llap-server/src/test/org/apache/hadoop/hive/llap/security/TestLlapSignerImpl.java#L195]
> - HIVE-22621.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
