[ https://issues.apache.org/jira/browse/YARN-11448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695047#comment-17695047 ]
Krishan Goyal commented on YARN-11448: -------------------------------------- PR - [https://github.com/apache/hadoop/pull/5443/files] > [Federation] Make Router Delegation token secret manager completely stateless > ----------------------------------------------------------------------------- > > Key: YARN-11448 > URL: https://issues.apache.org/jira/browse/YARN-11448 > Project: Hadoop YARN > Issue Type: Sub-task > Components: router > Affects Versions: 3.4.0 > Reporter: Krishan Goyal > Assignee: Krishan Goyal > Priority: Major > Fix For: 3.4.0 > > > Currently router secret manager requires routers to be stateful & with > clients using sticky sessions. > Otherwise, there are several issues mentioned below which lead to the > delegation token functionality not working across router instances > Eg: > # allKeys needs to be consistently updated across all router instances > # DB update exceptions are swallowed & returned as a success if just in > memory variables are updated > # Purging Delegation Token / Master key on expiry assumes all tokens are > available in memory > # APIs like get all tokens return only in memory data which is incorrect > A more scalable & maintainable framework for Router would be to be design it > as a stateless service. Given database KV lookups are in the order of < 10 > ms, it doesn't add any latency overhead and makes router easier to maintain. > Plus a stateless router setup, with no assumptions of stickiness makes the > router framework more generic. > Additionally, some of the functionality around master key ids, delegation > token sequence numbers is implemented as globally autoincrement ids which too > isn't feasible across all datastores. The actual requirement is to generate > unique keys for master key ids / delegation tokens which is a much more > simpler & generic solution. Plus certain apis like get sequence no / set > sequence no aren't applicable for router and we can avoid providing them to > make things much more simpler. > This patch addresses these functional concerns while working within the > interfaces of AbstractDelegationTokenSecretManager. > As a later patch, we can create better delegation token interfaces to support > both stateful & stateless secret managers. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org