[GitHub] [spark] steveloughran commented on a change in pull request #30366: [SPARK-33440][CORE] Use current timestamp with warning log when the issue date for token is not set up properly

Thu, 19 Nov 2020 07:14:47 -0800 


steveloughran commented on a change in pull request #30366:
URL: https://github.com/apache/spark/pull/30366#discussion_r526963218



##########
File path: 
core/src/main/scala/org/apache/spark/deploy/security/HadoopFSDelegationTokenProvider.scala
##########
@@ -126,13 +130,28 @@ private[deploy] class HadoopFSDelegationTokenProvider
       Try {
         val newExpiration = token.renew(hadoopConf)
         val identifier = 
token.decodeIdentifier().asInstanceOf[AbstractDelegationTokenIdentifier]
-        val interval = newExpiration - identifier.getIssueDate
-        logInfo(s"Renewal interval is $interval for token 
${token.getKind.toString}")
+        val tokenKind = token.getKind.toString
+        val interval = newExpiration - getIssueDate(tokenKind, identifier)
+        logInfo(s"Renewal interval is $interval for token $tokenKind")
         interval
       }.toOption
     }
     if (renewIntervals.isEmpty) None else Some(renewIntervals.min)
   }
+
+  private def getIssueDate(kind: String, identifier: 
AbstractDelegationTokenIdentifier): Long = {

Review comment:
       You don't need a security manager for fetching DTs of filesystems or 
renewing. Example: the S3A ones can be issued if you have AWS creds. It's just 
that all code written today assumes that filesystems & services only issue DTs 
if user is kerberized or was launched with an existing set of creds. Example: 
how to collect a DT to talk to the landsat bucket for the next 12 hours
   
   ```
   bin/hdfs fetchdt -D 
fs.s3a.delegation.token.binding=org.apache.hadoop.fs.s3a.auth.delegation.SessionTokenBinding
 --webservice s3a://landsat-pds/ secrets.bin
   ```
   
   Renewal is a different bit of work tho'. It would get complicated fast




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to