[jira] [Commented] (MAPREDUCE-3849) Change TokenCache's reading of the binary token file

Thu, 16 Feb 2012 10:13:25 -0800 

    [ 
https://issues.apache.org/jira/browse/MAPREDUCE-3849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13209562#comment-13209562
 ] 

Mahadev konar commented on MAPREDUCE-3849:
------------------------------------------

Daryn,
 Did you test this with something like Oozie where the delegation tokens are 
loaded from a file in the mapper? If not we should test that out.
                
> Change TokenCache's reading of the binary token file
> ----------------------------------------------------
>
>                 Key: MAPREDUCE-3849
>                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-3849
>             Project: Hadoop Map/Reduce
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 0.23.1, 0.24.0
>            Reporter: Daryn Sharp
>            Assignee: Daryn Sharp
>             Fix For: 0.23.2
>
>         Attachments: MAPREDUCE-3849-2.patch, MAPREDUCE-3849.patch
>
>
> When obtaining the tokens for a {{FileSystem}}, the {{TokenCache}} will read 
> the binary token file if a token is not already in the {{Credentials}}.  
> However, it will overwrite any existing tokens in the {{Credentials}} with 
> the contents of the binary token file if a single token is missing.  This may 
> cause new tokens to be replaced with invalid/cancelled tokens from the binary 
> file.  The new tokens will not be canceled, and thus "leak" in the namenode 
> until they expire.
> The binary tokens should be merged with, but not replace, existing tokens in 
> the {{Credentials}}.
> The code that reads the binary token file is prefaced with:
> {code}
> //TODO: Need to come up with a better place to put
> //this block of code to do with reading the file
> {code}
> Also, the loading of the binary token file is the only reason that the 
> {{TokenCache}} has to use {{getCanonicalService}}.  If this linkage can be 
> broken, then the 1-to-1 filesystem to token service coupling may be removed.  
> And use of {{getCanonicalService}} can be removed in a subsequent jira.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to