Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15997

KMS client uses wrong UGI after HADOOP-14445

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.2.0, 3.0.4, 3.1.2
    • Fix Version/s: 3.2.0, 3.3.0, 3.1.2
    • Component/s: kms
    • Labels:
      None
    • Environment:

      Hadoop 3.0.x (CDH6.x), Kerberized, HDFS at-rest encryption, multiple KMS

    • Hadoop Flags:
      Reviewed

      Description

      After HADOOP-14445, KMS client always authenticates itself using the credentials from login user, rather than current user.

      2018-12-07 15:58:30,663 DEBUG [main] org.apache.hadoop.crypto.key.kms.KMSClientProvider: Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials
      

      The log message "Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials" is printed because KMSClientProvider#containsKmsDt() is null when it definitely has the kms delegation token.

      In fact, KMSClientProvider#containsKmsDt() should select delegation token using clientTokenProvider.selectDelegationToken(creds) rather than checking if its dtService is in the user credentials.

      This is done correctly in KMSClientProvider#createAuthenticatedURL though.

      We found this bug when it broke Cloudera's Backup and Disaster Recovery tool.

       

      Daryn Sharp Xiao Chen mind taking a look? HADOOP-14445 is a huge patch but it is almost perfect except for this bug.

        Attachments

        1. HADOOP-15997.001.patch
          5 kB
          Wei-Chiu Chuang
        2. HADOOP-15997.02.patch
          5 kB
          Wei-Chiu Chuang

          Issue Links

            Activity

              People

              • Assignee:
                weichiu Wei-Chiu Chuang
                Reporter:
                weichiu Wei-Chiu Chuang
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: