[ https://issues.apache.org/jira/browse/HADOOP-14441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16020375#comment-16020375 ]
Arun Suresh commented on HADOOP-14441: -------------------------------------- bq. Does anyone know how to create LBKMSClientProviderUrl with different ports ? Using the default factory, you can't. The way around this is to create a dummy KeyProviderFactory that extends the KMSKeyProviderFactory that constructs the LBKMSClientProvider the way your test case desires. The name of the Dummy Key Provider should then be added to the resources/META-INF/services/org.apache.hadoop.crypto.key.KeyProviderFactory file so that it can be instantiated. > LoadBalancingKMSClientProvider#addDelegationTokens should add delegation > tokens from all KMS instances > ------------------------------------------------------------------------------------------------------ > > Key: HADOOP-14441 > URL: https://issues.apache.org/jira/browse/HADOOP-14441 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.7.0 > Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption > Reporter: Wei-Chiu Chuang > Assignee: Wei-Chiu Chuang > Attachments: HADOOP-14441.001.patch, HADOOP-14441.002.patch, > HADOOP-14441.003.patch > > > LoadBalancingKMSClientProvider only gets delegation token from one KMS > instance, in a round-robin fashion. This is arguably a bug, as JavaDoc for > {{KeyProviderDelegationTokenExtension#addDelegationTokens}} states: > {quote} > /** > * The implementer of this class will take a renewer and add all > * delegation tokens associated with the renewer to the > * <code>Credentials</code> object if it is not already present, > ... > **/ > {quote} > This bug doesn't pop up very often, because HDFS clients such as MapReduce > unintentionally calls {{FileSystem#addDelegationTokens}} multiple times. > We have a custom client that accesses HDFS/KMS-HA using delegation token, and > we were puzzled why it always throws "Failed to find any Kerberos tgt" > exceptions talking to one KMS but not the other. Turns out that client > couldn't talk to the KMS because {{FileSystem#addDelegationTokens}} only gets > one KMS delegation token at a time. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org