Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13155

Implement TokenRenewer to renew and cancel delegation tokens in KMS

    XMLWordPrintableJSON

Details

    • Enables renewal and cancellation of KMS delegation tokens. hadoop.security.key.provider.path needs to be configured to reach the key provider.

    Description

      Service DelegationToken (DT) renewal is done in Yarn by org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer, where it calls Token#renew and uses ServiceLoader to find the renewer class (code), and invokes the renew method from it.

      We seem to miss the token renewer class in KMS / HttpFSFileSystem, and hence Yarn defaults to TrivialRenewer for DT of such kinds, resulting in the token not being renewed.

      As a side note, HttpFSFileSystem does have a renewDelegationToken API, but I don't see it invoked in hadoop code base. KMS does not have any renew hook.

      Attachments

        1. HADOOP-13155.pre.patch
          27 kB
          Xiao Chen
        2. HADOOP-13155.01.patch
          28 kB
          Xiao Chen
        3. HADOOP-13155.02.patch
          30 kB
          Xiao Chen
        4. HADOOP-13155.03.patch
          30 kB
          Xiao Chen
        5. HADOOP-13155.04.patch
          31 kB
          Xiao Chen
        6. HADOOP-13155.05.patch
          32 kB
          Xiao Chen
        7. HADOOP-13155.06.patch
          33 kB
          Xiao Chen
        8. HADOOP-13155.07.patch
          27 kB
          Xiao Chen

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15390 Yarn RM logs flooded by DelegationTokenRenewer trying to renew KMS tokens

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved
          depends upon

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13228 Add delegation token to the connection in DelegationTokenAuthenticator

          • Major - Major loss of function.
          • Resolved
          is depended upon by

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13251 Authenticate with Kerberos credentials when renewing KMS delegation token

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13838 KMSTokenRenewer should close providers

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Activity

            People

              xiaochen Xiao Chen
              xiaochen Xiao Chen
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: