Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13155

Implement TokenRenewer to renew and cancel delegation tokens in KMS

    Details

    • Target Version/s:
    • Release Note:
      Enables renewal and cancellation of KMS delegation tokens. hadoop.security.key.provider.path needs to be configured to reach the key provider.

      Description

      Service DelegationToken (DT) renewal is done in Yarn by org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer, where it calls Token#renew and uses ServiceLoader to find the renewer class (code), and invokes the renew method from it.

      We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence Yarn defaults to TrivialRenewer for DT of such kinds, resulting in the token not being renewed.

      As a side note, HttpFSFileSystem does have a renewDelegationToken API, but I don't see it invoked in hadoop code base. KMS does not have any renew hook.

        Attachments

        1. HADOOP-13155.07.patch
          27 kB
          Xiao Chen
        2. HADOOP-13155.06.patch
          33 kB
          Xiao Chen
        3. HADOOP-13155.05.patch
          32 kB
          Xiao Chen
        4. HADOOP-13155.04.patch
          31 kB
          Xiao Chen
        5. HADOOP-13155.03.patch
          30 kB
          Xiao Chen
        6. HADOOP-13155.02.patch
          30 kB
          Xiao Chen
        7. HADOOP-13155.01.patch
          28 kB
          Xiao Chen
        8. HADOOP-13155.pre.patch
          27 kB
          Xiao Chen

          Issue Links

            Activity

              People

              • Assignee:
                xiaochen Xiao Chen
                Reporter:
                xiaochen Xiao Chen
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: