Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15997

KMS client uses wrong UGI after HADOOP-14445

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.2.0, 3.0.4, 3.1.2
    • Fix Version/s: 3.2.0, 3.3.0, 3.1.2
    • Component/s: kms
    • Labels:
      None
    • Environment:

      Hadoop 3.0.x (CDH6.x), Kerberized, HDFS at-rest encryption, multiple KMS

    • Hadoop Flags:
      Reviewed

      Description

      After HADOOP-14445, KMS client always authenticates itself using the credentials from login user, rather than current user.

      2018-12-07 15:58:30,663 DEBUG [main] org.apache.hadoop.crypto.key.kms.KMSClientProvider: Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials
      

      The log message "Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials" is printed because KMSClientProvider#containsKmsDt() is null when it definitely has the kms delegation token.

      In fact, KMSClientProvider#containsKmsDt() should select delegation token using clientTokenProvider.selectDelegationToken(creds) rather than checking if its dtService is in the user credentials.

      This is done correctly in KMSClientProvider#createAuthenticatedURL though.

      We found this bug when it broke Cloudera's Backup and Disaster Recovery tool.

       

      Daryn Sharp Xiao Chen mind taking a look? HADOOP-14445 is a huge patch but it is almost perfect except for this bug.

        Attachments

        1. HADOOP-15997.001.patch
          5 kB
          Wei-Chiu Chuang
        2. HADOOP-15997.02.patch
          5 kB
          Wei-Chiu Chuang

        Issue Links

          Activity

            People

            • Assignee:
              weichiu Wei-Chiu Chuang
              Reporter:
              weichiu Wei-Chiu Chuang

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment