Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13251

Authenticate with Kerberos credentials when renewing KMS delegation token

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.8.0
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: kms
    • Labels:
      None
    • Target Version/s:

      Description

      Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation.
      In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch.

        Attachments

        1. HADOOP-13251.01.patch
          15 kB
          Xiao Chen
        2. HADOOP-13251.02.patch
          15 kB
          Xiao Chen
        3. HADOOP-13251.03.patch
          15 kB
          Xiao Chen
        4. HADOOP-13251.04.patch
          15 kB
          Xiao Chen
        5. HADOOP-13251.05.patch
          16 kB
          Xiao Chen
        6. HADOOP-13251.06.patch
          17 kB
          Xiao Chen
        7. HADOOP-13251.07.patch
          17 kB
          Xiao Chen
        8. HADOOP-13251.08.patch
          17 kB
          Xiao Chen
        9. HADOOP-13251.08.patch
          17 kB
          Xiao Chen
        10. HADOOP-13251.09.patch
          16 kB
          Xiao Chen
        11. HADOOP-13251.10.patch
          19 kB
          Xiao Chen
        12. HADOOP-13251.innocent.patch
          0.8 kB
          Xiao Chen

        Issue Links

          Activity

            People

            • Assignee:
              xiaochen Xiao Chen
              Reporter:
              xiaochen Xiao Chen

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment