[
https://issues.apache.org/jira/browse/YARN-11448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated YARN-11448:
----------------------------------
Labels: pull-request-available (was: )
> [Federation] Make Router Delegation token secret manager completely stateless
> -----------------------------------------------------------------------------
>
> Key: YARN-11448
> URL: https://issues.apache.org/jira/browse/YARN-11448
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: router
> Affects Versions: 3.4.0
> Reporter: Krishan Goyal
> Assignee: Krishan Goyal
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0
>
>
> Currently router secret manager requires routers to be stateful & with
> clients using sticky sessions.
> Otherwise, there are several issues mentioned below which lead to the
> delegation token functionality not working across router instances
> Eg:
> # allKeys needs to be consistently updated across all router instances
> # DB update exceptions are swallowed & returned as a success if just in
> memory variables are updated
> # Purging Delegation Token / Master key on expiry assumes all tokens are
> available in memory
> # APIs like get all tokens return only in memory data which is incorrect
> A more scalable & maintainable framework for Router would be to be design it
> as a stateless service. Given database KV lookups are in the order of < 10
> ms, it doesn't add any latency overhead and makes router easier to maintain.
> Plus a stateless router setup, with no assumptions of stickiness makes the
> router framework more generic.
> Additionally, some of the functionality around master key ids, delegation
> token sequence numbers is implemented as globally autoincrement ids which too
> isn't feasible across all datastores. The actual requirement is to generate
> unique keys for master key ids / delegation tokens which is a much more
> simpler & generic solution. Plus certain apis like get sequence no / set
> sequence no aren't applicable for router and we can avoid providing them to
> make things much more simpler.
> This patch addresses these functional concerns while working within the
> interfaces of AbstractDelegationTokenSecretManager.
> As a later patch, we can create better delegation token interfaces to support
> both stateful & stateless secret managers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
