Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12770

KMSClientProvider addDelegationTokens won't add if the credentials contain an expired one

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.8.0
    • None
    • security
    • None

    Description

      KMSClientProvider addDelegationTokens adds delegation tokens —but skips that step if the provided credentials already have one for the service.

      There is no check to see if the existing one is actually valid; if the credentials have an expired one, then you don't get a new token.

      There is a workaround: caller has to filter token list and strip out expired tokens. But to do that, they need to know this issue exists.

      Attachments

        Issue Links

          relates to

          Sub-task - The sub-task of the issue HADOOP-14556 S3A to support Delegation Tokens

          • Major - Major loss of function.
          • Resolved

          Sub-task - The sub-task of the issue HADOOP-16068 ABFS Authentication and Delegation Token plugins to optionally be bound to specific URI of the store

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-12649 Improve Kerberos diagnostics and failure handling

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              stevel@apache.org Steve Loughran
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: