[ https://issues.apache.org/jira/browse/HADOOP-12659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15065208#comment-15065208 ]
Arun Suresh commented on HADOOP-12659: -------------------------------------- Thanks for reporting this... The patch looks good. +1 pending jenkins > Incorrect usage of config parameters in token manager of KMS > ------------------------------------------------------------ > > Key: HADOOP-12659 > URL: https://issues.apache.org/jira/browse/HADOOP-12659 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 2.7.1, 2.6.2 > Reporter: Tianyin Xu > Assignee: Mingliang Liu > Attachments: HADOOP-12659.000.patch > > > Hi, the usage of the following configs of Key Management Server (KMS) are > problematic: > {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} > {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} > The name indicates that the units are {{sec}}, and the online doc shows that > the default values are {{86400}} and {{3600}}, respectively. > https://hadoop.apache.org/docs/stable/hadoop-kms/index.html > which is also defined in > {code:title=DelegationTokenManager.java|borderStyle=solid} > 55 public static final String RENEW_INTERVAL = PREFIX + > "renew-interval.sec"; > 56 public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60; > ... > 58 public static final String REMOVAL_SCAN_INTERVAL = PREFIX + > 59 "removal-scan-interval.sec"; > 60 public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60; > {code} > However, in {{DelegationTokenManager.java}} and > {{ZKDelegationTokenSecretManager.java}}, these two parameters are used > incorrectly. > 1. *{{DelegationTokenManager.java}}* > {code} > 70 conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000, > 71 conf.getLong(REMOVAL_SCAN_INTERVAL, > 72 REMOVAL_SCAN_INTERVAL_DEFAULT * 1000)); > {code} > Apparently, at Line 72, {{REMOVAL_SCAN_INTERVAL}} should be used in the same > way as {{RENEW_INTERVAL}}, like > {code} > 72c72 > < REMOVAL_SCAN_INTERVAL_DEFAULT * 1000)); > --- > > REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000); > {code} > Currently, the unit of > {{hadoop.kms.authentication.delegation-token.removal-scan-interval.sec}} is > not {{sec}} but {{millisec}}. > 2. *{{ZKDelegationTokenSecretManager.java}}* > {code} > 142 conf.getLong(DelegationTokenManager.RENEW_INTERVAL, > 143 DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000), > 144 conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL, > 145 DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000); > {code} > The situation is the opposite in this class that > {{hadoop.kms.authentication.delegation-token.renew-interval.sec}} is wrong > but the other is correct... > A patch should be like > {code} > 143c143 > < DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000), > --- > > DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000, > {code} > Thanks! -- This message was sent by Atlassian JIRA (v6.3.4#6332)