[
https://issues.apache.org/jira/browse/YARN-11448?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17695118#comment-17695118
]
ASF GitHub Bot commented on YARN-11448:
---------------------------------------
slfan1989 commented on code in PR #5443:
URL: https://github.com/apache/hadoop/pull/5443#discussion_r1121844947
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.java:
##########
@@ -67,9 +67,9 @@
@InterfaceAudience.Public
@InterfaceStability.Evolving
-public abstract
-class AbstractDelegationTokenSecretManager<TokenIdent
-extends AbstractDelegationTokenIdentifier>
+public abstract
Review Comment:
I am a little worried that changes in this class may affect many sub classes
<img width="1672" alt="image"
src="https://user-images.githubusercontent.com/55643692/222172441-dee6dd5f-2d6b-4a8a-a556-c2b727a43ea4.png";>
> [Federation] Make Router Delegation token secret manager completely stateless
> -----------------------------------------------------------------------------
>
> Key: YARN-11448
> URL: https://issues.apache.org/jira/browse/YARN-11448
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: router
> Affects Versions: 3.4.0
> Reporter: Krishan Goyal
> Assignee: Krishan Goyal
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0
>
>
> Currently router secret manager requires routers to be stateful & with
> clients using sticky sessions.
> Otherwise, there are several issues mentioned below which lead to the
> delegation token functionality not working across router instances
> Eg:
> # allKeys needs to be consistently updated across all router instances
> # DB update exceptions are swallowed & returned as a success if just in
> memory variables are updated
> # Purging Delegation Token / Master key on expiry assumes all tokens are
> available in memory
> # APIs like get all tokens return only in memory data which is incorrect
> A more scalable & maintainable framework for Router would be to be design it
> as a stateless service. Given database KV lookups are in the order of < 10
> ms, it doesn't add any latency overhead and makes router easier to maintain.
> Plus a stateless router setup, with no assumptions of stickiness makes the
> router framework more generic.
> Additionally, some of the functionality around master key ids, delegation
> token sequence numbers is implemented as globally autoincrement ids which too
> isn't feasible across all datastores. The actual requirement is to generate
> unique keys for master key ids / delegation tokens which is a much more
> simpler & generic solution. Plus certain apis like get sequence no / set
> sequence no aren't applicable for router and we can avoid providing them to
> make things much more simpler.
> This patch addresses these functional concerns while working within the
> interfaces of AbstractDelegationTokenSecretManager.
> As a later patch, we can create better delegation token interfaces to support
> both stateful & stateless secret managers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
![https://user-images.githubusercontent.com/55643692/222172441-dee6dd5f-2d6b-4a8a-a556-c2b727a43ea4.png"](https://user-images.githubusercontent.com/55643692/222172441-dee6dd5f-2d6b-4a8a-a556-c2b727a43ea4.png"){kind=link}