[
https://issues.apache.org/jira/browse/HADOOP-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14288558#comment-14288558
]
Andrew Wang commented on HADOOP-11482:
--------------------------------------
Hey Arun, fix looks good, just a few comments:
* Can we expand the comment a bit? Not necessarily obvious to the reader why
the UGI would change.
* The test additions end up sleeping for an additional 20seconds, which is
quite substantial. Is there a way we can test this without such long sleeps?
Thanks again!
> Clients that cache instances of KMSClientProvider fail Authentication when
> "addDelegationTokens()" method is called after authentication token validity
> expires
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11482
> URL: https://issues.apache.org/jira/browse/HADOOP-11482
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: Arun Suresh
> Assignee: Arun Suresh
> Attachments: HADOOP-11482.1.patch
>
>
> Long Living clients of HDFS (For eg. OOZIE) use cached DFSClients which in
> turn use a cached KMSClientProvider to talk to KMS.
> Before an MR Job is run, the job client calls the
> {{DFClient.addDelegationTokens()}} method which calls
> {{addDelegationTokens()}} on the {{KMSClientProvider}} to get any delegation
> token associated to the user.
> Unfortunately, this call uses a cached
> {{DelegationTokenAuthenticationURL.Token}} instance which can cause the
> {{SignerSecretProvider}} implementation of the {{AuthenticationFilter}} at
> the KMS Server end to fail validation. Which results in the MR job itself
> failing.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
