[jira] [Commented] (HDFS-10757) KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used

Fri, 21 Oct 2016 14:43:32 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-10757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15596461#comment-15596461
 ] 

Hudson commented on HDFS-10757:
-------------------------------

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #10658 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/10658/])
HDFS-10757. KMSClientProvider combined with KeyProviderCache can result (xyao: 
rev be7237224819e2491aef91cd4f055c7efcf7b90d)
* (edit) 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java
* (edit) 
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java


> KMSClientProvider combined with KeyProviderCache can result in wrong UGI 
> being used
> -----------------------------------------------------------------------------------
>
>                 Key: HDFS-10757
>                 URL: https://issues.apache.org/jira/browse/HDFS-10757
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Sergey Shelukhin
>            Assignee: Xiaoyu Yao
>            Priority: Critical
>             Fix For: 2.8.0, 3.0.0-alpha2
>
>         Attachments: HDFS-10757.00.patch, HDFS-10757.01.patch, 
> HDFS-10757.02.patch, HDFS-10757.03.patch
>
>
> ClientContext::get gets the context from CACHE via a config setting based 
> name, then KeyProviderCache stored in ClientContext gets the key provider 
> cached by URI from the configuration, too. These would return the same 
> KeyProvider regardless of current UGI.
> KMSClientProvider caches the UGI (actualUgi) in ctor; that means in 
> particular that all the users of DFS with KMSClientProvider in a process will 
> get the KMS token (along with other credentials) of the first user, via the 
> above cache.
> Either KMSClientProvider shouldn't store the UGI, or one of the caches should 
> be UGI-aware, like the FS object cache.
> Side note: the comment in createConnection that purports to handle the 
> different UGI doesn't seem to cover what it says it covers. In our case, we 
> have two unrelated UGIs with no auth (createRemoteUser) with bunch of tokens, 
> including a KMS token, added.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to