Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-12770

KMSClientProvider addDelegationTokens won't add if the credentials contain an expired one

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 2.8.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      KMSClientProvider addDelegationTokens adds delegation tokens —but skips that step if the provided credentials already have one for the service.

      There is no check to see if the existing one is actually valid; if the credentials have an expired one, then you don't get a new token.

      There is a workaround: caller has to filter token list and strip out expired tokens. But to do that, they need to know this issue exists.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                stevel@apache.org Steve Loughran
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: