[jira] [Commented] (HADOOP-13251) Authenticate with Kerberos credentials when renewing KMS delegation token
[ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15361884#comment-15361884 ] Xiao Chen commented on HADOOP-13251: Hi [~aw], Sorry for my late response, I was on PTO last week. I feel this jira is orthogonal to the underlying kerberos implementations, so I would expect the current test cases cover each implementation by itself. Makes sense? > Authenticate with Kerberos credentials when renewing KMS delegation token > - > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, > HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, > HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.08.patch, > HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch, > HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work > well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with > renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then > renews these DTs as long as the MR jobs are running. But currently, the token > is used at the kms server side to decide the renewer, in which case is always > the token's owner. This ends up rejecting the renew request due to renewer > mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13251) Authenticate with Kerberos credentials when renewing KMS delegation token
[ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15352933#comment-15352933 ] Allen Wittenauer commented on HADOOP-13251: --- What happens when an AltKerberos implementation is used? Has that been tested? > Authenticate with Kerberos credentials when renewing KMS delegation token > - > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, > HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, > HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.08.patch, > HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch, > HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work > well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with > renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then > renews these DTs as long as the MR jobs are running. But currently, the token > is used at the kms server side to decide the renewer, in which case is always > the token's owner. This ends up rejecting the renew request due to renewer > mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13251) Authenticate with Kerberos credentials when renewing KMS delegation token
[ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15352265#comment-15352265 ] Xiao Chen commented on HADOOP-13251: Thank you so much Andrew! I really appreciate your patient reviews and advice. > Authenticate with Kerberos credentials when renewing KMS delegation token > - > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, > HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, > HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.08.patch, > HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch, > HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work > well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with > renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then > renews these DTs as long as the MR jobs are running. But currently, the token > is used at the kms server side to decide the renewer, in which case is always > the token's owner. This ends up rejecting the renew request due to renewer > mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
[jira] [Commented] (HADOOP-13251) Authenticate with Kerberos credentials when renewing KMS delegation token
[ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15352182#comment-15352182 ] Hudson commented on HADOOP-13251: - SUCCESS: Integrated in Hadoop-trunk-Commit #10022 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/10022/]) HADOOP-13251. Authenticate with Kerberos credentials when renewing KMS (wang: rev 771f798edf97b27ae003395118c0317b484df6ee) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenManager.java * hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/web/DelegationTokenAuthenticator.java * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java * hadoop-common-project/hadoop-kms/src/site/markdown/index.md.vm > Authenticate with Kerberos credentials when renewing KMS delegation token > - > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms >Affects Versions: 2.8.0 >Reporter: Xiao Chen >Assignee: Xiao Chen > Fix For: 2.8.0 > > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, > HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, > HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.08.patch, > HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch, > HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work > well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with > renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then > renews these DTs as long as the MR jobs are running. But currently, the token > is used at the kms server side to decide the renewer, in which case is always > the token's owner. This ends up rejecting the renew request due to renewer > mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org
