[
https://issues.apache.org/jira/browse/HADOOP-11187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aaron T. Myers updated HADOOP-11187:
------------------------------------
Resolution: Fixed
Fix Version/s: 2.7.0
Hadoop Flags: Reviewed
Status: Resolved (was: Patch Available)
I've just committed this to trunk and branch-2.
Thanks a lot for the contribution, Arun.
> NameNode - KMS communication fails after a long period of inactivity
> --------------------------------------------------------------------
>
> Key: HADOOP-11187
> URL: https://issues.apache.org/jira/browse/HADOOP-11187
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: Arun Suresh
> Assignee: Arun Suresh
> Fix For: 2.7.0
>
> Attachments: HADOOP-11187.1.patch, HADOOP-11187.2.patch
>
>
> As reported by [~atm] :
> The issue is due to the authentication token that the NN has to talk to the
> KMS is expiring, AND the signature secret provider in the KMS authentication
> filter is discarding the old secret after 2x the authentication token
> validity period.
> If the token being supplied is under 1x the validity lifetime then the token
> will authenticate just fine. If the token being supplied is between 1x-2x the
> validity lifetime, then the token can be validated but it will be expired, so
> a 401 will be returned to the client and it will get a new token. But if the
> token being supplied is greater than 2x the validity lifetime, then the KMS
> authentication filter will not even be able to validate the token, and will
> return a 403, which will cause the client to not retry authentication to the
> KMS.
> The KMSClientProvider needs to be modified to retry authentication even in
> the above case
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
