[
https://issues.apache.org/jira/browse/HADOOP-11482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arun Suresh updated HADOOP-11482:
---------------------------------
Attachment: HADOOP-11482.2.patch
Thanks for the review [~andrew.wang], Updating patch :
* added more comments
* cut down total sleep time from 20 to 8 secs (We unfortunately need atleast 4
secs to ensure the rollover signer rolls over atleast twice... and I put in
another 4 to be on the safe side)
> Clients that cache instances of KMSClientProvider fail Authentication when
> "addDelegationTokens()" method is called after authentication token validity
> expires
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11482
> URL: https://issues.apache.org/jira/browse/HADOOP-11482
> Project: Hadoop Common
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: Arun Suresh
> Assignee: Arun Suresh
> Attachments: HADOOP-11482.1.patch, HADOOP-11482.2.patch
>
>
> Long Living clients of HDFS (For eg. OOZIE) use cached DFSClients which in
> turn use a cached KMSClientProvider to talk to KMS.
> Before an MR Job is run, the job client calls the
> {{DFClient.addDelegationTokens()}} method which calls
> {{addDelegationTokens()}} on the {{KMSClientProvider}} to get any delegation
> token associated to the user.
> Unfortunately, this call uses a cached
> {{DelegationTokenAuthenticationURL.Token}} instance which can cause the
> {{SignerSecretProvider}} implementation of the {{AuthenticationFilter}} at
> the KMS Server end to fail validation. Which results in the MR job itself
> failing.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
