[jira] [Commented] (HDFS-10436) dfs.block.access.token.enable should default on when security is !simple

Thu, 19 May 2016 18:58:35 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-10436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15292544#comment-15292544
 ] 

Yiqun Lin commented on HDFS-10436:
----------------------------------

HI,[~aw], thanks for reporting this. I agree with you. If the UGI security is 
enabled and you forget to enable the {{dfs.block.access.token.enable}}, then 
still use the default value(here is false). And it will cause the IOException. 
Like these:
{code}
  private static BlockTokenSecretManager createBlockTokenSecretManager(
      final Configuration conf) throws IOException {
    final boolean isEnabled = conf.getBoolean(
        DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, 
        DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_DEFAULT);
    LOG.info(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY + "=" + isEnabled);

    if (!isEnabled) {
      if (UserGroupInformation.isSecurityEnabled()) {
        String errMessage = "Security is enabled but block access tokens " +
            "(via " + DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY + ") " +
            "aren't enabled. This may cause issues " +
            "when clients attempt to connect to a DataNode. Aborting NameNode";
        throw new IOException(errMessage);
      }
      return null;
    }
{code}
In {{DataNode#checkSecureConfig}}, there is also a similar problem. Attach a 
patch for this.

> dfs.block.access.token.enable should default on when security is !simple
> ------------------------------------------------------------------------
>
>                 Key: HDFS-10436
>                 URL: https://issues.apache.org/jira/browse/HDFS-10436
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, namenode
>    Affects Versions: 3.0.0-alpha1
>            Reporter: Allen Wittenauer
>            Assignee: Yiqun Lin
>
> Unless there is a valid configuration where dfs.block.access.token.enable is 
> off and security is on, then rather than shutdown we should just enable the 
> block access tokens.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to