slfan1989 commented on PR #5443: URL: https://github.com/apache/hadoop/pull/5443#issuecomment-1451469175
> > allKeys needs to be consistently updated across all router instances > > > Multiple Routers will share and store the Delegation token, there is no updated across all router instances. > > That is not the actual behaviour currently. Each router instance has its own set of master keys (allKeys & currentKey - these are setup on service startup through startThreads() & updated in rollMasterKey()). Even though they are stored in database, master key isn't looked up from database but just returned from the in memory variables (allKeys & currentKey). So a router instance can't renew tokens generated from another router instance. > > And even delegation tokens are not consistently updated across router instances. If a delegation token is present in currentTokens variable in multiple router instances but updated in one router instance (on token renewal), the other router instances will use their own in memory variable currentTokens rather than look up the database and thus can say the token is expired. In the previous comment, I have already explained that we get data from shared storage, so this described situation should not happen. Example: We have 3 routers, namely `routerA`, `routerB`, and `routerC`, and we have 1 client `client1` - `Client1` applies for a token from `RouterA`, `RouterA` stores the token in memory, and writes the token into `zk` or `db` at the same time, `RouterA` returns this token to the client, we call it `tokenA`(user=Client1,expireDate=2023-03-02 16:02:00...) - `Client1` finds `RouterB` to query the token. At this time, `RouterB` does not have token in memory. `RouterB` goes to zk or db to query, and then stores `tokenA` in memory. - `Client1` renewToken to `RouterC`, at this time, after `RouterC` renewToken, TokenA will be updated, we call it TokenB(The expiration time is different from TokenA), and then store tokenB in zk or db. - The `TokenA` has expired, the original `TokenA` has been removed by the cleaning thread of `RouterA` and `RouterB`. - If the Token has not expired, the client can continue to perform operations no matter which Router it queries. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
