Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11482

Use correct UGI when KMSClientProvider is called by a proxy user

    Details

      Description

      Long Living clients of HDFS (For eg. OOZIE) use cached DFSClients which in turn use a cached KMSClientProvider to talk to KMS.

      Before an MR Job is run, the job client calls the DFClient.addDelegationTokens() method which calls addDelegationTokens() on the KMSClientProvider to get any delegation token associated to the user.

      Unfortunately, this call uses a cached DelegationTokenAuthenticationURL.Token instance which can cause the SignerSecretProvider implementation of the AuthenticationFilter at the KMS Server end to fail validation. Which results in the MR job itself failing.

        Attachments

        1. HADOOP-11482.1.patch
          4 kB
          Arun Suresh
        2. HADOOP-11482.2.patch
          4 kB
          Arun Suresh

          Activity

            People

            • Assignee:
              asuresh Arun Suresh
              Reporter:
              asuresh Arun Suresh
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: