Hadoop Map/Reduce
  1. Hadoop Map/Reduce
  2. MAPREDUCE-2420

JobTracker should be able to renew delegation token over HTTP

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.22.1
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed
    • Tags:
      security

      Description

      in case JobTracker has to talk to a NameNode running a different version (RPC version mismatch), Jobtracker should be able to fall back to HTTP renewal.

      Example of the case - running distcp between different versions using hfpt.

      1. MR2420-3.patch
        6 kB
        Boris Shkolnik
      2. MR2420-2.patch
        6 kB
        Boris Shkolnik
      3. MR-2420-1.patch
        8 kB
        Boris Shkolnik
      4. MR-2420.patch
        9 kB
        Boris Shkolnik
      5. MR-2420.22-3.patch
        6 kB
        Boris Shkolnik
      6. MR-2420.22-2.patch
        6 kB
        Boris Shkolnik
      7. MR-2420.22-1.patch
        6 kB
        Boris Shkolnik

        Issue Links

          Activity

          Hide
          Devaraj Das added a comment -

          This patch handles the case of HDFS token renewals, when the JobTracker's HDFS is running a different version of HDFS than the one the job is trying to use. An example of such a job is distcp (where it uses hftp to talk to a different source cluster to pull data to the cluster where distcp is running).

          When the job is submitted, the client requests a delegation token over hftp and stuffs it in the job. Today, the NameNode doesn't distinguish between hftp and hdfs accesses, and issues HDFS tokens for both (and the token-kind field in the token has the value as 'HDFS'). Ideally, that should be fixed to have the token-kind as HFTP for hftp accesses. We should have the JobTracker handle all sorts of token renewals, and have a way in which it can look at a token and decide which protocol to use to talk to the server in question. This includes HDFS, HFTP, and also HIVE (where the protocol is thrift).

          I think this patch is okay for the short term - the JobTracker falls back to hftp if it couldn't renew a token over hdfs. In the patch, there are a bunch of white space changes that aren't required. The string comparisons for exception messages and then instantiating a concrete exception could probably be replaced with a forname() on the string exception.

          When we fix this issue in trunk, please make it more generic on lines similar to above.

          Show
          Devaraj Das added a comment - This patch handles the case of HDFS token renewals, when the JobTracker's HDFS is running a different version of HDFS than the one the job is trying to use. An example of such a job is distcp (where it uses hftp to talk to a different source cluster to pull data to the cluster where distcp is running). When the job is submitted, the client requests a delegation token over hftp and stuffs it in the job. Today, the NameNode doesn't distinguish between hftp and hdfs accesses, and issues HDFS tokens for both (and the token-kind field in the token has the value as 'HDFS'). Ideally, that should be fixed to have the token-kind as HFTP for hftp accesses. We should have the JobTracker handle all sorts of token renewals, and have a way in which it can look at a token and decide which protocol to use to talk to the server in question. This includes HDFS, HFTP, and also HIVE (where the protocol is thrift). I think this patch is okay for the short term - the JobTracker falls back to hftp if it couldn't renew a token over hdfs. In the patch, there are a bunch of white space changes that aren't required. The string comparisons for exception messages and then instantiating a concrete exception could probably be replaced with a forname() on the string exception. When we fix this issue in trunk, please make it more generic on lines similar to above.
          Hide
          Boris Shkolnik added a comment -

          implemented some of Devaraj's comments.

          also set stack to empty for artificially created exceptions (on the client side).

          Agree with Devaraj that we need a more generic solution for all types of token.

          Please open a Jira on this and put these requirements in.

          Show
          Boris Shkolnik added a comment - implemented some of Devaraj's comments. also set stack to empty for artificially created exceptions (on the client side). Agree with Devaraj that we need a more generic solution for all types of token. Please open a Jira on this and put these requirements in.
          Hide
          Boris Shkolnik added a comment -

          committed to branch-20-security.

          Show
          Boris Shkolnik added a comment - committed to branch-20-security.
          Hide
          Boris Shkolnik added a comment -

          preliminary patch for .22

          Show
          Boris Shkolnik added a comment - preliminary patch for .22
          Hide
          Boris Shkolnik added a comment -

          patch for trunk

          Show
          Boris Shkolnik added a comment - patch for trunk
          Hide
          Boris Shkolnik added a comment -

          +1 overall.
          [exec]
          [exec] +1 @author. The patch does not contain any @author tags.
          [exec]
          [exec] -1 tests included. The patch doesn't appear to include any new or modified tests.
          [exec] Please justify why no new tests are needed for this patch.
          [exec] Also please list what manual steps were performed to verify this patch.
          [exec]
          [exec] +1 javadoc. The javadoc tool did not generate any warning messages. [exec]
          [exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings.
          [exec]
          [exec] +1 findbugs. The patch does not introduce any new Findbugs warnings.
          [exec]
          [exec] +1 release audit. The applied patch does not increase the total number of release audit warnings.
          [exec]
          [exec]

          No unit tests, but I did manual testing using discp copying from the same cluster or from 0.20 one

          Show
          Boris Shkolnik added a comment - +1 overall. [exec] [exec] +1 @author. The patch does not contain any @author tags. [exec] [exec] -1 tests included. The patch doesn't appear to include any new or modified tests. [exec] Please justify why no new tests are needed for this patch. [exec] Also please list what manual steps were performed to verify this patch. [exec] [exec] +1 javadoc. The javadoc tool did not generate any warning messages. [exec] [exec] +1 javac. The applied patch does not increase the total number of javac compiler warnings. [exec] [exec] +1 findbugs. The patch does not introduce any new Findbugs warnings. [exec] [exec] +1 release audit. The applied patch does not increase the total number of release audit warnings. [exec] [exec] No unit tests, but I did manual testing using discp copying from the same cluster or from 0.20 one
          Hide
          Boris Shkolnik added a comment -

          ran the ant test and it passed.

          Show
          Boris Shkolnik added a comment - ran the ant test and it passed.
          Hide
          Jitendra Nath Pandey added a comment -

          Please use constant defined in DFSConfigKeys for dfs.https.port and for the default as well.

          Show
          Jitendra Nath Pandey added a comment - Please use constant defined in DFSConfigKeys for dfs.https.port and for the default as well.
          Hide
          Boris Shkolnik added a comment -

          changed "dfs.https.port" to DFSConfigKeys....

          Show
          Boris Shkolnik added a comment - changed "dfs.https.port" to DFSConfigKeys....
          Hide
          Jitendra Nath Pandey added a comment -

          +1 for the patch.

          Show
          Jitendra Nath Pandey added a comment - +1 for the patch.
          Hide
          Jitendra Nath Pandey added a comment -

          I have committed this. Thanks to Boris!

          Show
          Jitendra Nath Pandey added a comment - I have committed this. Thanks to Boris!
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk-Commit #651 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk-Commit/651/)
          MAPREDUCE-2420. JobTracker should be able to renew delegation token over HTTP. Contributed by Boris Shkolnik.

          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #651 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk-Commit/651/ ) MAPREDUCE-2420 . JobTracker should be able to renew delegation token over HTTP. Contributed by Boris Shkolnik.
          Hide
          Boris Shkolnik added a comment -

          patch for previous version(.22)
          using DFSConfigKeys.DFS_HTTPS_PORT_KEY instead of string value.

          Show
          Boris Shkolnik added a comment - patch for previous version(.22) using DFSConfigKeys.DFS_HTTPS_PORT_KEY instead of string value.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #669 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk/669/)

          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #669 (See https://builds.apache.org/hudson/job/Hadoop-Mapreduce-trunk/669/ )
          Hide
          Benoy Antony added a comment -

          Patch for 22

          Show
          Benoy Antony added a comment - Patch for 22
          Hide
          Benoy Antony added a comment -

          I removed my patch for 22. The patch -MR-2420.22-3.patch is good.
          The patch for 22 in HDFS-1860 has to be applied first.

          Show
          Benoy Antony added a comment - I removed my patch for 22. The patch -MR-2420.22-3.patch is good. The patch for 22 in HDFS-1860 has to be applied first.
          Hide
          Konstantin Shvachko added a comment -

          I just committed this to branch 0.22.1. Thank you Benoy.

          Show
          Konstantin Shvachko added a comment - I just committed this to branch 0.22.1. Thank you Benoy.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-22-branch #104 (See https://builds.apache.org/job/Hadoop-Mapreduce-22-branch/104/)
          MAPREDUCE-2420. JobTracker should be able to renew delegation token over HTTP. Contributed by Boris Shkolnik and Benoy Antony. (Revision 1346233)

          Result = SUCCESS
          shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346233
          Files :

          • /hadoop/common/branches/branch-0.22/mapreduce/CHANGES.txt
          • /hadoop/common/branches/branch-0.22/mapreduce/src/java/org/apache/hadoop/mapreduce/security/token/DelegationTokenRenewal.java
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-22-branch #104 (See https://builds.apache.org/job/Hadoop-Mapreduce-22-branch/104/ ) MAPREDUCE-2420 . JobTracker should be able to renew delegation token over HTTP. Contributed by Boris Shkolnik and Benoy Antony. (Revision 1346233) Result = SUCCESS shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346233 Files : /hadoop/common/branches/branch-0.22/mapreduce/CHANGES.txt /hadoop/common/branches/branch-0.22/mapreduce/src/java/org/apache/hadoop/mapreduce/security/token/DelegationTokenRenewal.java

            People

            • Assignee:
              Boris Shkolnik
              Reporter:
              Boris Shkolnik
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development