Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13251

Authenticate with Kerberos credentials when renewing KMS delegation token

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.8.0
    • 2.8.0, 3.0.0-alpha1
    • kms
    • None

    Description

      Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation.
      In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch.

      Attachments

        1. HADOOP-13251.01.patch
          15 kB
          Xiao Chen
        2. HADOOP-13251.02.patch
          15 kB
          Xiao Chen
        3. HADOOP-13251.03.patch
          15 kB
          Xiao Chen
        4. HADOOP-13251.04.patch
          15 kB
          Xiao Chen
        5. HADOOP-13251.05.patch
          16 kB
          Xiao Chen
        6. HADOOP-13251.06.patch
          17 kB
          Xiao Chen
        7. HADOOP-13251.07.patch
          17 kB
          Xiao Chen
        8. HADOOP-13251.08.patch
          17 kB
          Xiao Chen
        9. HADOOP-13251.08.patch
          17 kB
          Xiao Chen
        10. HADOOP-13251.09.patch
          16 kB
          Xiao Chen
        11. HADOOP-13251.10.patch
          19 kB
          Xiao Chen
        12. HADOOP-13251.innocent.patch
          0.8 kB
          Xiao Chen

        Issue Links

          Blocked

          Bug - A problem which impairs or prevents the functions of the product. YETUS-420 Hadoop post commit failure due to Docker unable to build image

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13228 Add delegation token to the connection in DelegationTokenAuthenticator

          • Major - Major loss of function.
          • Resolved
          depends upon

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-13155 Implement TokenRenewer to renew and cancel delegation tokens in KMS

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              xiaochen Xiao Chen
              xiaochen Xiao Chen
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: