Tianyin Xu created HADOOP-12659: ----------------------------------- Summary: Incorrect usage of config parameters in token manager of KMS Key: HADOOP-12659 URL: https://issues.apache.org/jira/browse/HADOOP-12659 Project: Hadoop Common Issue Type: Bug Components: security Affects Versions: 2.6.2, 2.7.1 Reporter: Tianyin Xu
Hi, the usage of the following configs of Key Management Server (KMS) are problematic: {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} The name indicates that the units are {{sec}}, and the online doc shows that the default values are {{86400}} and {{3600}}, respectively. https://hadoop.apache.org/docs/stable/hadoop-kms/index.html which is also defined in {code:title=DelegationTokenManager.java|borderStyle=solid} 55 public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec"; 56 public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60; ... 58 public static final String REMOVAL_SCAN_INTERVAL = PREFIX + 59 "removal-scan-interval.sec"; 60 public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60; {code} However, in {{DelegationTokenManager.java}} and {{ZKDelegationTokenSecretManager.java}}, these two parameters are used incorrectly. 1. *{{DelegationTokenManager.java}}* {code} 70 conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000, 71 conf.getLong(REMOVAL_SCAN_INTERVAL, 72 REMOVAL_SCAN_INTERVAL_DEFAULT * 1000)); {code} Apparently, at Line 72, {{REMOVAL_SCAN_INTERVAL}} should be used in the same way as {{RENEW_INTERVAL}}, like {code} 72c72 < REMOVAL_SCAN_INTERVAL_DEFAULT * 1000)); --- > REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000); {code} Currently, the unit of {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} is not {{sec}} but {{millisec}}. 2. *{{ZKDelegationTokenSecretManager.java}}* {code} 142 conf.getLong(DelegationTokenManager.RENEW_INTERVAL, 143 DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000), 144 conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL, 145 DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000); {code} The situation is the opposite in this class that {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} is wrong but the other is correct... A patch should be like {code} 143c143 < DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000), --- > DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000, {code} Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332)