[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15316065#comment-15316065 ] Xiao Chen commented on HADOOP-13155: FYI created HDFS-10489 for the config deprecation. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug > Components: kms, security >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.07.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15315594#comment-15315594 ] Xiao Chen commented on HADOOP-13155: Thanks [~andrew.wang] for the review, commit and discussions! I added a release note to this jira. Will create a new one targeting 3.0.0 to deprecate the config keys. Also thanks Arun, Yongjun, Wei-Chiu and Allen for your valuable inputs / reviews. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug > Components: kms, security >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.07.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15315154#comment-15315154 ] Hudson commented on HADOOP-13155: - SUCCESS: Integrated in Hadoop-trunk-Commit #9911 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/9911/]) HADOOP-13155. Implement TokenRenewer to renew and cancel delegation (wang: rev 713cb71820ad94a5436f35824d07aa12fcba5cc6) * hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/DFSUtilClient.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java * hadoop-common-project/hadoop-kms/src/main/java/org/apache/hadoop/crypto/key/kms/server/KMSAuthenticationFilter.java * hadoop-common-project/hadoop-common/src/main/resources/META-INF/services/org.apache.hadoop.security.token.TokenRenewer * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/LoadBalancingKMSClientProvider.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/KMSUtil.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/KeyProviderDelegationTokenExtension.java > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug > Components: kms, security >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.07.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15315117#comment-15315117 ] Andrew Wang commented on HADOOP-13155: -- LGTM +1, will commit shortly. Thanks for working on this Xiao. Could you also add a release note about the new config requirement for renewal? Also, should we do anything about this for Hadoop 3? For instance, deprecate and remove the "dfs._" key in favor of the "hadoop._" key? > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.07.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15311702#comment-15311702 ] Hadoop QA commented on HADOOP-13155: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 13s {color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 1m 12s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 5m 57s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 9s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 21s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 42s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 33s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 56s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 25s {color} | {color:green} trunk passed {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 20s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 43s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 43s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 23s {color} | {color:red} root: The patch generated 2 new + 160 unchanged - 6 fixed = 162 total (was 166) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 48s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 34s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 37s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 27s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 7m 14s {color} | {color:green} hadoop-common in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 28s {color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 53s {color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 20s {color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 49m 22s {color} | {color:black} {color} | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:2c91fd8 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12807604/HADOOP-13155.07.patch | | JIRA Issue | HADOOP-13155 | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux 3b27fd943a0a 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / 16b1cc7 | | Default Java | 1.8.0_91 | | findbugs | v3.0.0 | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/9644/artifact/patchprocess/diff-checkstyle-root.txt | | Test Results | https://builds.apache.org/job/PreCommit-HADOOP-Build/9644/testReport/ | | modules | C: hadoop-common-project/hadoop-common hadoop-common-project/hadoop-kms hadoop-hdfs-project/hadoop-hdfs-client U: . | | Console output |
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15309022#comment-15309022 ] Xiao Chen commented on HADOOP-13155: Thanks [~aw] for the suggestion. Given that {{DtUtilShell}} invokes the interface of {{org.apache.hadoop.security.token.Token#renew}} in {{DtFileOperations#renewTokenFile}} (and cancel in the same way), the current test in {{TestKMS}} covers it by calling the same interface. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15309003#comment-15309003 ] Allen Wittenauer commented on HADOOP-13155: --- We should make sure this works with hadoop dtutil. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15308927#comment-15308927 ] Xiao Chen commented on HADOOP-13155: Thanks Andrew for the summary. I'm working on the test for DTAuthenticator, it's not straight forward, I'll create a new jira and link here + ping you when ready. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15308715#comment-15308715 ] Andrew Wang commented on HADOOP-13155: -- I talked with Xiao about this patch offline, here's our notes: * Setting the DT in the query string is deprecated, and only preserved for testing. So we don't need to support that in this new renewer functionality. * We should consider splitting out that bug fix into a separate JIRA, I promise to quickly review and commit since this one is dependent. A unit test would be good too. * We need to keep using the old "dfs..." config key for compatibility, so can't just swap to the "hadoop..." config key. I haven't seen a situation where we'd want to configure these differently, since people normally only have a single KMS instance for the entire cluster. But, compat is compat, so we think a setter function in DFSClientUtil will work. One day we will probably want per-DFS KMS configuration for cross-cluster distcp, in which case we'd also need this. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.05.patch, > HADOOP-13155.06.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15308214#comment-15308214 ] Hadoop QA commented on HADOOP-13155: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 14s {color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 42s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 15s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 10s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 20s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 52s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 36s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 23s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 25s {color} | {color:green} trunk passed {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 10s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 22s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 46s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 46s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 26s {color} | {color:red} root: The patch generated 2 new + 232 unchanged - 6 fixed = 234 total (was 238) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 52s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 34s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} The patch has no whitespace issues. {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 3m 50s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 26s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 7m 16s {color} | {color:red} hadoop-common in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 28s {color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 55s {color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 22s {color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 50m 20s {color} | {color:black} {color} | \\ \\ || Reason || Tests || | Failed junit tests | hadoop.security.token.delegation.web.TestWebDelegationToken | \\ \\ || Subsystem || Report/Notes || | Docker | Image:yetus/hadoop:2c91fd8 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12807203/HADOOP-13155.06.patch | | JIRA Issue | HADOOP-13155 | | Optional Tests | asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle | | uname | Linux e84f95c15e43 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /testptch/hadoop/patchprocess/precommit/personality/provided.sh | | git revision | trunk / bca31fe | | Default Java | 1.8.0_91 | | findbugs | v3.0.0 | | checkstyle | https://builds.apache.org/job/PreCommit-HADOOP-Build/9624/artifact/patchprocess/diff-checkstyle-root.txt | | unit |
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15307380#comment-15307380 ] Hadoop QA commented on HADOOP-13155: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 11s {color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 48s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 6m 31s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 14s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 1m 22s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 49s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 35s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 2m 58s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 25s {color} | {color:green} trunk passed {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 11s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 21s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 6m 44s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 6m 44s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 1m 23s {color} | {color:red} root: The patch generated 7 new + 233 unchanged - 6 fixed = 240 total (was 239) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 42s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 33s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} The patch has no whitespace issues. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 27s {color} | {color:red} hadoop-common-project/hadoop-common generated 3 new + 0 unchanged - 0 fixed = 3 total (was 0) {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 25s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 7m 18s {color} | {color:red} hadoop-common in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 27s {color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 54s {color} | {color:green} hadoop-hdfs-client in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 21s {color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 49m 35s {color} | {color:black} {color} | \\ \\ || Reason || Tests || | FindBugs | module:hadoop-common-project/hadoop-common | | | Load of known null value in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.cancel(Token, Configuration) At KMSClientProvider.java:in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.cancel(Token, Configuration) At KMSClientProvider.java:[line 189] | | | Load of known null value in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.renew(Token, Configuration) At KMSClientProvider.java:in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.renew(Token, Configuration) At KMSClientProvider.java:[line 174] | | | Possible null pointer dereference of dToken in org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.appendDelegationToken(URL, AuthenticatedURL$Token, Token, HttpURLConnection) Dereferenced at DelegationTokenAuthenticator.java:dToken in
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15307323#comment-15307323 ] Hadoop QA commented on HADOOP-13155: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 17s {color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 1 new or modified test files. {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 13s {color} | {color:blue} Maven dependency ordering for branch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 8m 0s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 47s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 0m 33s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 33s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 22s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} findbugs {color} | {color:green} 1m 56s {color} | {color:green} trunk passed {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 13s {color} | {color:green} trunk passed {color} | | {color:blue}0{color} | {color:blue} mvndep {color} | {color:blue} 0m 7s {color} | {color:blue} Maven dependency ordering for patch {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 1m 13s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 8m 24s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 8m 24s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} checkstyle {color} | {color:red} 0m 31s {color} | {color:red} hadoop-common-project: The patch generated 5 new + 211 unchanged - 5 fixed = 216 total (was 216) {color} | | {color:green}+1{color} | {color:green} mvnsite {color} | {color:green} 1m 26s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 24s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} whitespace {color} | {color:green} 0m 0s {color} | {color:green} The patch has no whitespace issues. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 1m 54s {color} | {color:red} hadoop-common-project/hadoop-common generated 3 new + 0 unchanged - 0 fixed = 3 total (was 0) {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 1m 20s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 8m 45s {color} | {color:red} hadoop-common in the patch failed. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 1m 40s {color} | {color:green} hadoop-kms in the patch passed. {color} | | {color:green}+1{color} | {color:green} asflicense {color} | {color:green} 0m 21s {color} | {color:green} The patch does not generate ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 50m 31s {color} | {color:black} {color} | \\ \\ || Reason || Tests || | FindBugs | module:hadoop-common-project/hadoop-common | | | Load of known null value in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.cancel(Token, Configuration) At KMSClientProvider.java:in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.cancel(Token, Configuration) At KMSClientProvider.java:[line 187] | | | Load of known null value in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.renew(Token, Configuration) At KMSClientProvider.java:in org.apache.hadoop.crypto.key.kms.KMSClientProvider$KMSTokenRenewer.renew(Token, Configuration) At KMSClientProvider.java:[line 173] | | | Possible null pointer dereference of dToken in org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.appendDelegationToken(URL, AuthenticatedURL$Token, Token, HttpURLConnection) Dereferenced at DelegationTokenAuthenticator.java:dToken in org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticator.appendDelegationToken(URL, AuthenticatedURL$Token, Token,
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15305134#comment-15305134 ] Andrew Wang commented on HADOOP-13155: -- Thanks for working on this patch Xiao, and thanks Yongjun, Arun, and Wei-Chiu for weighing in. I had a few review comments: * Mildly prefer to keep the newline at the top of KMSClientProvider * Regarding moving the config key, I think the other Renewers get around this by embedding the static class within the parent class and accessing required state statically. I think the parent here would be KMSClientProvider. It wouldn't be good to tie renewal to this HDFS key anyway, since the KMS is used for more than just HDFS encryption. * KMSClientProvider#addDelegationToken and cancelDT just pass a dummy {{url}} to the {{authUrl}} call. Why does renewal in particularly need a URL with USER_NAME set? IIUC this is needed for PseudoAuthentication, but here we're doing DT authentication? * Extra newline in declaration of generateDT in KMSClientProvider * In the new test in TestKMS, can we configure the Kerberos config in testDTOKerberized, and then pass the Configuration to testDelegationTokensOps? I think that's cleaner. * Also recommend doubling the timeout Rule, since things often run slower on overloaded Jenkins servers and we don't want a new flake. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15305041#comment-15305041 ] Wei-Chiu Chuang commented on HADOOP-13155: -- What about using {{hadoop.security.key.provider.path}} instead of {{dfs.encryption.key.provider.uri}}? Reading some documentation, it seems both values should be configured the same. This way you don't need hdfs configs. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
[ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15305042#comment-15305042 ] Hadoop QA commented on HADOOP-13155: | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s {color} | {color:blue} Docker mode activated. {color} | | {color:red}-1{color} | {color:red} docker {color} | {color:red} 3m 12s {color} | {color:red} Docker failed to build yetus/hadoop:2c91fd8. {color} | \\ \\ || Subsystem || Report/Notes || | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12806771/HADOOP-13155.04.patch | | JIRA Issue | HADOOP-13155 | | Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/9611/console | | Powered by | Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org | This message was automatically generated. > Implement TokenRenewer to renew and cancel delegation tokens in KMS > --- > > Key: HADOOP-13155 > URL: https://issues.apache.org/jira/browse/HADOOP-13155 > Project: Hadoop Common > Issue Type: Bug >Reporter: Xiao Chen >Assignee: Xiao Chen > Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, > HADOOP-13155.03.patch, HADOOP-13155.04.patch, HADOOP-13155.pre.patch > > > Service DelegationToken (DT) renewal is done in Yarn by > {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}}, > where it calls {{Token#renew}} and uses ServiceLoader to find the renewer > class > ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]), > and invokes the renew method from it. > We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence > Yarn defaults to {{TrivialRenewer}} for DT of such kinds, resulting in the > token not being renewed. > As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} > API, but I don't see it invoked in hadoop code base. KMS does not have any > renew hook. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org