[jira] [Resolved] (HDDS-9442) Token verification from OMs at DT renew happens in the wrong login context.

Thu, 23 Nov 2023 17:21:05 -0800 


     [ 
https://issues.apache.org/jira/browse/HDDS-9442?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

István Fajth resolved HDDS-9442.
--------------------------------
    Fix Version/s: 1.4.0
       Resolution: Not A Bug

As it turned out, the environment where we have seen the problem is running an 
older version of the code, where HDDS-8879 is not present.

Prior to HDDS-8879 this issue was real, as the OMCertificateClient created the 
SCMCertificateClient based on the UserGroupInformation#getCurrentUser() method, 
which is the remote user in case of a Hadoop RPC request handler runs the code. 
So if an OM tried to download an other certificate within handling a Hadoop RPC 
request the download failed because for the remote user we do not have Kerberos 
credentials in the UGI we get from ipc.Server.Connection to run the handling of 
the Call in a doAs.

HDDS-8879 accidentally fixed this behaviour, by initializing just one SCM 
certificate protocol client with the current user at Ozone Manager's 
initializer code, where the current user is the user we login with at OM 
startup (in kerberos the OM principal), and with that the call to SCM is done 
in the context of the OM principal always from the OMCertificateClient.

I confirmed, I can reproduce the problem with a code that does not have 
HDDS-8879, while after it is added the issue is not reproducible anymore, so I 
am closing this one as it is not a bug anymore.

> Token verification from OMs at DT renew happens in the wrong login context.
> ---------------------------------------------------------------------------
>
>                 Key: HDDS-9442
>                 URL: https://issues.apache.org/jira/browse/HDDS-9442
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: Ozone Manager, Security
>            Reporter: István Fajth
>            Assignee: István Fajth
>            Priority: Critical
>             Fix For: 1.4.0
>
>
> In case an OM Leader change happens, none of the longer running jobs that are 
> using Delegation Tokens can use the cluster anymore and fail. (reported by 
> [~pifta]
> More details to be filled in later.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to