[ https://issues.apache.org/jira/browse/HADOOP-14445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16033492#comment-16033492 ]
Daryn Sharp commented on HADOOP-14445: -------------------------------------- _No more config-based solutions_. It's not logistically possible to manage and update configs in a multi-cluster/multi-kms environment. # A token renewer, like the RM, must be able to instantiate a key provider client in the absence of any configs. That means the service must contain the provider uri or multi-kms environments are not possible. # Duplicating tokens is a no-go. The RM will attempt to unnecessarily renew all of them. The current implementation is broken by design. If we absolutely must keep compatibility with a dubious mix-n-match version environment, it's either going to be hacky, or we abandon the current kms scheme and create a new one that works correctly. > Delegation tokens are not shared between KMS instances > ------------------------------------------------------ > > Key: HADOOP-14445 > URL: https://issues.apache.org/jira/browse/HADOOP-14445 > Project: Hadoop Common > Issue Type: Bug > Components: documentation, kms > Affects Versions: 2.8.0, 3.0.0-alpha1 > Reporter: Wei-Chiu Chuang > Assignee: Rushabh S Shah > Attachments: HADOOP-14445-branch-2.8.patch > > > As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do > not share delegation tokens. (a client uses KMS address/port as the key for > delegation token) > {code:title=DelegationTokenAuthenticatedURL#openConnection} > if (!creds.getAllTokens().isEmpty()) { > InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(), > url.getPort()); > Text service = SecurityUtil.buildTokenService(serviceAddr); > dToken = creds.getToken(service); > {code} > But KMS doc states: > {quote} > Delegation Tokens > Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation > tokens too. > Under HA, A KMS instance must verify the delegation token given by another > KMS instance, by checking the shared secret used to sign the delegation > token. To do this, all KMS instances must be able to retrieve the shared > secret from ZooKeeper. > {quote} > We should either update the KMS documentation, or fix this code to share > delegation tokens. -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org