[ https://issues.apache.org/jira/browse/YARN-11448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695118#comment-17695118 ]
ASF GitHub Bot commented on YARN-11448: --------------------------------------- slfan1989 commented on code in PR #5443: URL: https://github.com/apache/hadoop/pull/5443#discussion_r1121844947 ########## hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java: ########## @@ -67,9 +67,9 @@ @InterfaceAudience.Public @InterfaceStability.Evolving -public abstract -class AbstractDelegationTokenSecretManager<TokenIdent -extends AbstractDelegationTokenIdentifier> +public abstract Review Comment: I am a little worried that changes in this class may affect many sub classes <img width="1672" alt="image" src="https://user-images.githubusercontent.com/55643692/222172441-dee6dd5f-2d6b-4a8a-a556-c2b727a43ea4.png"> > [Federation] Make Router Delegation token secret manager completely stateless > ----------------------------------------------------------------------------- > > Key: YARN-11448 > URL: https://issues.apache.org/jira/browse/YARN-11448 > Project: Hadoop YARN > Issue Type: Sub-task > Components: router > Affects Versions: 3.4.0 > Reporter: Krishan Goyal > Assignee: Krishan Goyal > Priority: Major > Labels: pull-request-available > Fix For: 3.4.0 > > > Currently router secret manager requires routers to be stateful & with > clients using sticky sessions. > Otherwise, there are several issues mentioned below which lead to the > delegation token functionality not working across router instances > Eg: > # allKeys needs to be consistently updated across all router instances > # DB update exceptions are swallowed & returned as a success if just in > memory variables are updated > # Purging Delegation Token / Master key on expiry assumes all tokens are > available in memory > # APIs like get all tokens return only in memory data which is incorrect > A more scalable & maintainable framework for Router would be to be design it > as a stateless service. Given database KV lookups are in the order of < 10 > ms, it doesn't add any latency overhead and makes router easier to maintain. > Plus a stateless router setup, with no assumptions of stickiness makes the > router framework more generic. > Additionally, some of the functionality around master key ids, delegation > token sequence numbers is implemented as globally autoincrement ids which too > isn't feasible across all datastores. The actual requirement is to generate > unique keys for master key ids / delegation tokens which is a much more > simpler & generic solution. Plus certain apis like get sequence no / set > sequence no aren't applicable for router and we can avoid providing them to > make things much more simpler. > This patch addresses these functional concerns while working within the > interfaces of AbstractDelegationTokenSecretManager. > As a later patch, we can create better delegation token interfaces to support > both stateful & stateless secret managers. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org