[jira] [Created] (HADOOP-14445) Delegation tokens are not shared between KMS instances

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Created] (HADOOP-14445) Delegation tokens are not shared between KMS instances

JIRA jira@apache.org
Wei-Chiu Chuang created HADOOP-14445:

             Summary: Delegation tokens are not shared between KMS instances
                 Key: HADOOP-14445
                 URL: https://issues.apache.org/jira/browse/HADOOP-14445
             Project: Hadoop Common
          Issue Type: Bug
          Components: documentation, kms
    Affects Versions: 3.0.0-alpha1, 2.8.0
            Reporter: Wei-Chiu Chuang

As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share delegation tokens. (a client use KMS address/port as the key for delegation token)
if (!creds.getAllTokens().isEmpty()) {
        InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
        Text service = SecurityUtil.buildTokenService(serviceAddr);
        dToken = creds.getToken(service);
But KMS doc states:
Delegation Tokens

Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens too.

Under HA, A KMS instance must verify the delegation token given by another KMS instance, by checking the shared secret used to sign the delegation token. To do this, all KMS instances must be able to retrieve the shared secret from ZooKeeper.
We should either update the KMS documentation, or fix this code to share delegation tokens.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]