[
https://issues.apache.org/jira/browse/HDFS-17128?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17748749#comment-17748749
]
ASF GitHub Bot commented on HDFS-17128:
---------------------------------------
hchaverri commented on code in PR #5897:
URL: https://github.com/apache/hadoop/pull/5897#discussion_r1278114605
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/SQLDelegationTokenSecretManager.java:
##########
@@ -46,6 +50,9 @@ public abstract class
SQLDelegationTokenSecretManager<TokenIdent
private static final String SQL_DTSM_TOKEN_SEQNUM_BATCH_SIZE =
SQL_DTSM_CONF_PREFIX
+ "token.seqnum.batch.size";
public static final int DEFAULT_SEQ_NUM_BATCH_SIZE = 10;
+ public static final String SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION_MS =
SQL_DTSM_CONF_PREFIX
+ + "token.loading.cache.expiration.ms";
+ public static final int SQL_DTSM_TOKEN_LOADING_CACHE_EXPIRATION_DEFAULT_MS =
10000;
Review Comment:
In the tests that I've run, with a lower renew interval, I've seen renewals
come 30 seconds before the expiration time. In our live service I see renewals
happening 2 hours before expiration. I've yet to find how to configure it.
> RBF: SQLDelegationTokenSecretManager should use version of tokens updated by
> other routers
> ------------------------------------------------------------------------------------------
>
> Key: HDFS-17128
> URL: https://issues.apache.org/jira/browse/HDFS-17128
> Project: Hadoop HDFS
> Issue Type: Improvement
> Components: rbf
> Reporter: Hector Sandoval Chaverri
> Priority: Major
> Labels: pull-request-available
>
> The SQLDelegationTokenSecretManager keeps tokens that it has interacted with
> in a memory cache. This prevents routers from connecting to the SQL server
> for each token operation, improving performance.
> We've noticed issues with some tokens being loaded in one router's cache and
> later renewed on a different one. If clients try to use the token in the
> outdated router, it will throw an "Auth failed" error when the cached token's
> expiration has passed.
> This can also affect cancelation scenarios since a token can be removed from
> one router's cache and still exist in another one.
> A possible solution is already implemented on the
> ZKDelegationTokenSecretManager, which consists of having an executor
> refreshing each router's cache on a periodic basis. We should evaluate
> whether this will work with the volume of tokens expected to be handled by
> the SQLDelegationTokenSecretManager.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
