Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-13749

KMSClientProvider combined with KeyProviderCache can result in wrong UGI being used

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • 2.8.0, 3.0.0-alpha2
    • None
    • None
    • Reviewed

    Description

      ClientContext::get gets the context from CACHE via a config setting based name, then KeyProviderCache stored in ClientContext gets the key provider cached by URI from the configuration, too. These would return the same KeyProvider regardless of current UGI.
      KMSClientProvider caches the UGI (actualUgi) in ctor; that means in particular that all the users of DFS with KMSClientProvider in a process will get the KMS token (along with other credentials) of the first user, via the above cache.

      Either KMSClientProvider shouldn't store the UGI, or one of the caches should be UGI-aware, like the FS object cache.

      Side note: the comment in createConnection that purports to handle the different UGI doesn't seem to cover what it says it covers. In our case, we have two unrelated UGIs with no auth (createRemoteUser) with bunch of tokens, including a KMS token, added.

      Attachments

        1. HDFS-10757.00.patch
          5 kB
          Xiaoyu Yao
        2. HDFS-10757.01.patch
          5 kB
          Xiaoyu Yao
        3. HDFS-10757.02.patch
          6 kB
          Xiaoyu Yao
        4. HDFS-10757.03.patch
          6 kB
          Xiaoyu Yao
        5. HADOOP-13749.00.patch
          7 kB
          Xiaoyu Yao

        Issue Links

        breaks

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13748 TestKMS fails in testProxyUserSimple and testDelegationTokensOpsSimple

        • Major - Major loss of function.
        • Resolved
        duplicates

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13381 KMS clients should use KMS Delegation Tokens from current UGI.

        • Critical - Crashes, loss of data, severe memory leak.
        • Resolved
        is required by

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13988 KMSClientProvider does not work with WebHDFS and Apache Knox w/ProxyUser

        • Major - Major loss of function.
        • Resolved
        relates to

        Bug - A problem which impairs or prevents the functions of the product. HADOOP-13748 TestKMS fails in testProxyUserSimple and testDelegationTokensOpsSimple

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            xyao Xiaoyu Yao
            sershe Sergey Shelukhin
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment