Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12659

Incorrect usage of config parameters in token manager of KMS

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.1, 2.6.2
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Hi, the usage of the following configs of Key Management Server (KMS) are problematic:
      hadoop.kms.authentication.delegation-token.renew-interval.sec
      hadoop.kms.authentication.delegation-token.removal-scan-interval.sec

      The name indicates that the units are sec, and the online doc shows that the default values are 86400 and 3600, respectively.
      https://hadoop.apache.org/docs/stable/hadoop-kms/index.html
      which is also defined in

      DelegationTokenManager.java
       55   public static final String RENEW_INTERVAL = PREFIX + "renew-interval.sec";
       56   public static final long RENEW_INTERVAL_DEFAULT = 24 * 60 * 60;
       ...
       58   public static final String REMOVAL_SCAN_INTERVAL = PREFIX +
       59       "removal-scan-interval.sec";
       60   public static final long REMOVAL_SCAN_INTERVAL_DEFAULT = 60 * 60;
      

      However, in DelegationTokenManager.java and ZKDelegationTokenSecretManager.java, these two parameters are used incorrectly.

      1. DelegationTokenManager.java

       70           conf.getLong(RENEW_INTERVAL, RENEW_INTERVAL_DEFAULT) * 1000,
       71           conf.getLong(REMOVAL_SCAN_INTERVAL, 
       72               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
      

      Apparently, at Line 72, REMOVAL_SCAN_INTERVAL should be used in the same way as RENEW_INTERVAL, like

      72c72
      <               REMOVAL_SCAN_INTERVAL_DEFAULT * 1000));
      ---
      >               REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
      

      Currently, the unit of hadoop.kms.authentication.delegation-token.removal-scan-interval.sec is not sec but millisec.

      2. ZKDelegationTokenSecretManager.java

      142         conf.getLong(DelegationTokenManager.RENEW_INTERVAL,
      143             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
      144         conf.getLong(DelegationTokenManager.REMOVAL_SCAN_INTERVAL,
      145             DelegationTokenManager.REMOVAL_SCAN_INTERVAL_DEFAULT) * 1000);
      

      The situation is the opposite in this class that hadoop.kms.authentication.delegation-token.renew-interval.sec is wrong but the other is correct...
      A patch should be like

      143c143
      <             DelegationTokenManager.RENEW_INTERVAL_DEFAULT * 1000),
      ---
      >             DelegationTokenManager.RENEW_INTERVAL_DEFAULT) * 1000,
      

      Thanks!

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                liuml07 Mingliang Liu
                Reporter:
                tianyin Tianyin Xu
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: