[jira] [Commented] (HDFS-14509) DN throws InvalidToken due to inequality of password when upgrade NN 2.x to 3.x

Sun, 29 Sep 2019 00:39:38 -0700 


    [ 
https://issues.apache.org/jira/browse/HDFS-14509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16940277#comment-16940277
 ] 

Yuxuan Wang commented on HDFS-14509:
------------------------------------

[~John Smith] If we add some fields in the future, we still need this patch. 
Trunk is better.
According to hadoop's doc, we should update NN first. At that time, the block 
token will have new fields attached which DN not upgraded yet can't recognize. 
So we have to backport it to 2.x branch and upgrade DN before upgrade to 3.x .
Or I miss [~shv]'s some comment. Can you quote it ? [~ferhui]

> DN throws InvalidToken due to inequality of password when upgrade NN 2.x to 
> 3.x
> -------------------------------------------------------------------------------
>
>                 Key: HDFS-14509
>                 URL: https://issues.apache.org/jira/browse/HDFS-14509
>             Project: Hadoop HDFS
>          Issue Type: Bug
>            Reporter: Yuxuan Wang
>            Priority: Blocker
>              Labels: release-blocker
>         Attachments: HDFS-14509-001.patch
>
>
> According to the doc, if we want to upgrade cluster from 2.x to 3.x, we need 
> upgrade NN first. And there will be a intermediate state that NN is 3.x and 
> DN is 2.x. At that moment, if a client reads (or writes) a block, it will get 
> a block token from NN and then deliver the token to DN who can verify the 
> token. But the verification in the code now is :
> {code:title=BlockTokenSecretManager.java|borderStyle=solid}
> public void checkAccess(...)
> {
>     ...
>     id.readFields(new DataInputStream(new 
> ByteArrayInputStream(token.getIdentifier())));
>     ...
>     if (!Arrays.equals(retrievePassword(id), token.getPassword())) {
>       throw new InvalidToken("Block token with " + id.toString()
>           + " doesn't have the correct token password");
>     }
> }
> {code} 
> And {{retrievePassword(id)}} is:
> {code} 
> public byte[] retrievePassword(BlockTokenIdentifier identifier)
> {
>     ...
>     return createPassword(identifier.getBytes(), key.getKey());
> }
> {code} 
> So, if NN's identifier add new fields, DN will lose the fields and compute 
> wrong password.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to