[
https://issues.apache.org/jira/browse/HDFS-10757?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Shelukhin updated HDFS-10757:
------------------------------------
Description:
ClientContext::get gets the context from CACHE via a config setting based name,
then KeyProviderCache stored in ClientContext gets the key provider cached by
URI from the configuration, too. These would return the same KeyProvider
regardless of current UGI.
KMSClientProvider caches the UGI (actualUgi) in ctor; that means in particular
that all the users of DFS with KMSClientProvider in a process will get the KMS
token (along with other credentials) of the first user, via the above cache.
Either KMSClientProvider shouldn't store the UGI, or one of the caches should
be UGI-aware, like the FS object cache.
was:
ClientContext::get gets the context from cache via a config setting based name,
then KeyProviderCache stored in ClientContext gets the key provider cached by
URI stored in configuration, too.
KMSClientProvider caches the UGI (actualUgi) in ctor; that means in particular
that all the users of DFS with KMSClientProvider in a process will get the KMS
token (along with other credentials) of the first user...
Either KMSClientProvider shouldn't store the UGI, or one of the caches should
be UGI-aware, like the FS object cache.
> KMSClientProvider combined with KeyProviderCache results in wrong UGI being
> used
> --------------------------------------------------------------------------------
>
> Key: HDFS-10757
> URL: https://issues.apache.org/jira/browse/HDFS-10757
> Project: Hadoop HDFS
> Issue Type: Bug
> Reporter: Sergey Shelukhin
> Priority: Critical
>
> ClientContext::get gets the context from CACHE via a config setting based
> name, then KeyProviderCache stored in ClientContext gets the key provider
> cached by URI from the configuration, too. These would return the same
> KeyProvider regardless of current UGI.
> KMSClientProvider caches the UGI (actualUgi) in ctor; that means in
> particular that all the users of DFS with KMSClientProvider in a process will
> get the KMS token (along with other credentials) of the first user, via the
> above cache.
> Either KMSClientProvider shouldn't store the UGI, or one of the caches should
> be UGI-aware, like the FS object cache.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
