hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Wang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13155) Implement TokenRenewer to renew and cancel delegation tokens in KMS
Date Sat, 28 May 2016 03:21:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15305134#comment-15305134

Andrew Wang commented on HADOOP-13155:

Thanks for working on this patch Xiao, and thanks Yongjun, Arun, and Wei-Chiu for weighing
in. I had a few review comments:

* Mildly prefer to keep the newline at the top of KMSClientProvider
* Regarding moving the config key, I think the other Renewers get around this by embedding
the static class within the parent class and accessing required state statically. I think
the parent here would be KMSClientProvider. It wouldn't be good to tie renewal to this HDFS
key anyway, since the KMS is used for more than just HDFS encryption.
* KMSClientProvider#addDelegationToken and cancelDT just pass a dummy {{url}} to the {{authUrl}}
call. Why does renewal in particularly need a URL with USER_NAME set? IIUC this is needed
for PseudoAuthentication, but here we're doing DT authentication?
* Extra newline in declaration of generateDT in KMSClientProvider
* In the new test in TestKMS, can we configure the Kerberos config in testDTOKerberized, and
then pass the Configuration to testDelegationTokensOps? I think that's cleaner.
* Also recommend doubling the timeout Rule, since things often run slower on overloaded Jenkins
servers and we don't want a new flake.

> Implement TokenRenewer to renew and cancel delegation tokens in KMS
> -------------------------------------------------------------------
>                 Key: HADOOP-13155
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13155
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13155.01.patch, HADOOP-13155.02.patch, HADOOP-13155.03.patch,
HADOOP-13155.04.patch, HADOOP-13155.pre.patch
> Service DelegationToken (DT) renewal is done in Yarn by {{org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer}},
where it calls {{Token#renew}} and uses ServiceLoader to find the renewer class ([code|https://github.com/apache/hadoop/blob/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/Token.java#L382]),
and invokes the renew method from it.
> We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence Yarn defaults
to {{TrivialRenewer}} for DT of such kinds, resulting in the token not being renewed.
> As a side note, {{HttpFSFileSystem}} does have a {{renewDelegationToken}} API, but I
don't see it invoked in hadoop code base. KMS does not have any renew hook.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message