[ https://issues.apache.org/jira/browse/HADOOP-14441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16025088#comment-16025088 ]
Yongjun Zhang commented on HADOOP-14441: ---------------------------------------- HI [~shahrs87], Would you mind posting your patch to HADOOP-14445 so that we can iterate? Thanks a lot. > LoadBalancingKMSClientProvider#addDelegationTokens should add delegation > tokens from all KMS instances > ------------------------------------------------------------------------------------------------------ > > Key: HADOOP-14441 > URL: https://issues.apache.org/jira/browse/HADOOP-14441 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.7.0 > Environment: CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption > Reporter: Wei-Chiu Chuang > Assignee: Wei-Chiu Chuang > Attachments: HADOOP-14441.001.patch, HADOOP-14441.002.patch, > HADOOP-14441.003.patch, HADOOP-14441.004.patch > > > LoadBalancingKMSClientProvider only gets delegation token from one KMS > instance, in a round-robin fashion. This is arguably a bug, as JavaDoc for > {{KeyProviderDelegationTokenExtension#addDelegationTokens}} states: > {quote} > /** > * The implementer of this class will take a renewer and add all > * delegation tokens associated with the renewer to the > * <code>Credentials</code> object if it is not already present, > ... > **/ > {quote} > This bug doesn't pop up very often, because HDFS clients such as MapReduce > unintentionally calls {{FileSystem#addDelegationTokens}} multiple times. > We have a custom client that accesses HDFS/KMS-HA using delegation token, and > we were puzzled why it always throws "Failed to find any Kerberos tgt" > exceptions talking to one KMS but not the other. Turns out that client > couldn't talk to the KMS because {{FileSystem#addDelegationTokens}} only gets > one KMS delegation token at a time. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org