[HADOOP-11187] NameNode - KMS communication fails after a long period of inactivity - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.6.0
Fix Version/s: 2.7.0
Component/s: None
Labels:
None

Target Version/s:

2.7.0
Hadoop Flags:

Reviewed

Description

As reported by atm :

The issue is due to the authentication token that the NN has to talk to the KMS is expiring, AND the signature secret provider in the KMS authentication filter is discarding the old secret after 2x the authentication token validity period.
If the token being supplied is under 1x the validity lifetime then the token will authenticate just fine. If the token being supplied is between 1x-2x the validity lifetime, then the token can be validated but it will be expired, so a 401 will be returned to the client and it will get a new token. But if the token being supplied is greater than 2x the validity lifetime, then the KMS authentication filter will not even be able to validate the token, and will return a 403, which will cause the client to not retry authentication to the KMS.

The KMSClientProvider needs to be modified to retry authentication even in the above case

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-11187.2.patch
05/Nov/14 19:41
16 kB
Arun Suresh
HADOOP-11187.1.patch
04/Nov/14 10:09
14 kB
Arun Suresh

Activity

People

Assignee:: Arun Suresh

Reporter:: Arun Suresh

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 10/Oct/14 00:55

Updated:: 08/Dec/15 08:58

Resolved:: 06/Nov/14 02:18