[ https://issues.apache.org/jira/browse/HADOOP-14441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16019857#comment-16019857 ]
Wei-Chiu Chuang commented on HADOOP-14441: ------------------------------------------ Hi [~asuresh] thanks for commenting on this. bq. I agree with Rushabh S Shah. If the KMS is configured to use the ZK delegationtoken secret manager, you would not need to add the DTs from all KMS instances. My test uses doKMSWithZK() which has hadoop.kms.authentication.zk-dt-secret-manager.enable = true. bq. Since a DT issued by 1 KMS instance will be validated by any of its peers. I agree with you completely. The problem is the client side does not know that it should authenticate the KMS#2 using the delegation token obtained from KMS#1. Please take a look at the following code: {code:title=DelegationTokenAuthenticatedURL#openConnection} // delegation token Credentials creds = UserGroupInformation.getCurrentUser(). getCredentials(); if (!creds.getAllTokens().isEmpty()) { InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), url.getPort()); Text service = SecurityUtil.buildTokenService(serviceAddr); dToken = creds.getToken(service); <----- this becomes null in my test case. if (dToken != null) { if (useQueryStringForDelegationToken()) { // delegation token will go in the query string, injecting it extraParams.put( KerberosDelegationTokenAuthenticator.DELEGATION_PARAM, dToken.encodeToUrlString()); } else { // delegation token will go as request header, setting it in the // auth-token to ensure no authentication handshake is triggered // (if we have a delegation token, we are authenticated) // the delegation token header is injected in the connection request // at the end of this method. token.delegationToken = (org.apache.hadoop.security.token.Token <AbstractDelegationTokenIdentifier>) dToken; } } } {code} > LoadBalancingKMSClientProvider#addDelegationTokens should add delegation > tokens from all KMS instances > ------------------------------------------------------------------------------------------------------ > > Key: HADOOP-14441 > URL: https://issues.apache.org/jira/browse/HADOOP-14441 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.7.0 > Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption > Reporter: Wei-Chiu Chuang > Assignee: Wei-Chiu Chuang > Attachments: HADOOP-14441.001.patch, HADOOP-14441.002.patch, > HADOOP-14441.003.patch > > > LoadBalancingKMSClientProvider only gets delegation token from one KMS > instance, in a round-robin fashion. This is arguably a bug, as JavaDoc for > {{KeyProviderDelegationTokenExtension#addDelegationTokens}} states: > {quote} > /** > * The implementer of this class will take a renewer and add all > * delegation tokens associated with the renewer to the > * <code>Credentials</code> object if it is not already present, > ... > **/ > {quote} > This bug doesn't pop up very often, because HDFS clients such as MapReduce > unintentionally calls {{FileSystem#addDelegationTokens}} multiple times. > We have a custom client that accesses HDFS/KMS-HA using delegation token, and > we were puzzled why it always throws "Failed to find any Kerberos tgt" > exceptions talking to one KMS but not the other. Turns out that client > couldn't talk to the KMS because {{FileSystem#addDelegationTokens}} only gets > one KMS delegation token at a time. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org