Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
Description
The TokenProvider coprocessor service, which is responsible for issuing HBase delegation tokens, currently runs a region endpoint. In the security documentation, we recommend configuring this coprocessor for all table regions, however, we only ever address delegation token requests to the META region.
When TokenProvider was first added, region coprocessors were the only way of adding endpoints. But, since then, we've added support for endpoints for regionserver and master coprocessors. This makes loading TokenProvider on all table regions unnecessarily wasteful.
We can reduce the overhead for TokenProvider and greatly improve it's scalability by doing the following:
- Convert TokenProvider to a SingletonCoprocessorService that is configured to run on all regionservers. This will ensure a single instance per regionserver instead of one per region.
- Direct delegation token requests to a random running regionserver so that we don't hotspot any single instance with requests.
Attachments
Issue Links
- is related to
-
HBASE-12493 User class should provide a way to re-use existing token
- Closed