Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-14445

Use DelegationTokenIssuer to create KMS delegation tokens that can authenticate to all KMS instances

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.8.0, 3.0.0-alpha1
    • 3.2.0, 3.0.4, 3.1.2
    • kms
    • None

    • CDH5.7.4, Kerberized, SSL, KMS-HA, at rest encryption

    • Reviewed
    • Hide
      <!-- markdown -->

      This patch improves the KMS delegation token issuing and authentication logic, to enable tokens to authenticate with a set of KMS servers. The change is backport compatible, in that it keeps the existing authentication logic as a fall back.

      Historically, KMS delegation tokens have ip:port as service, making KMS clients only able to use the token to authenticate with the KMS server specified as ip:port, even though the token is shared among all KMS servers at server-side. After this patch, newly created tokens will have the KMS URL as service.

      A `DelegationTokenIssuer` interface is introduced for token creation.
      Show
      <!-- markdown --> This patch improves the KMS delegation token issuing and authentication logic, to enable tokens to authenticate with a set of KMS servers. The change is backport compatible, in that it keeps the existing authentication logic as a fall back. Historically, KMS delegation tokens have ip:port as service, making KMS clients only able to use the token to authenticate with the KMS server specified as ip:port, even though the token is shared among all KMS servers at server-side. After this patch, newly created tokens will have the KMS URL as service. A `DelegationTokenIssuer` interface is introduced for token creation.

    Description

      As discovered in HADOOP-14441, KMS HA using LoadBalancingKMSClientProvider do not share delegation tokens. (a client uses KMS address/port as the key for delegation token)

      DelegationTokenAuthenticatedURL#openConnection
      if (!creds.getAllTokens().isEmpty()) {
        InetSocketAddress serviceAddr = new InetSocketAddress(url.getHost(),
            url.getPort());
        Text service = SecurityUtil.buildTokenService(serviceAddr);
        dToken = creds.getToken(service);

      But KMS doc states:

      Delegation Tokens

      Similar to HTTP authentication, KMS uses Hadoop Authentication for delegation tokens too.

      Under HA, A KMS instance must verify the delegation token given by another KMS instance, by checking the shared secret used to sign the delegation token. To do this, all KMS instances must be able to retrieve the shared secret from ZooKeeper.

      We should either update the KMS documentation, or fix this code to share delegation tokens.

      Attachments

        1. HADOOP-14445-branch-2.8.patch
          31 kB
          Rushabh Shah
        2. HADOOP-14445-branch-2.8.002.patch
          38 kB
          Rushabh Shah
        3. HADOOP-14445.revert.patch
          86 kB
          Xiao Chen
        4. HADOOP-14445.compat.patch
          84 kB
          Daryn Sharp
        5. HADOOP-14445.branch-3.0.001.patch
          88 kB
          Xiao Chen
        6. HADOOP-14445.branch-2.8.revert.patch
          85 kB
          Xiao Chen
        7. HADOOP-14445.branch-2.8.006.patch
          82 kB
          Xiao Chen
        8. HADOOP-14445.branch-2.8.005.patch
          82 kB
          Xiao Chen
        9. HADOOP-14445.branch-2.8.004.patch
          82 kB
          Xiao Chen
        10. HADOOP-14445.branch-2.8.003.patch
          82 kB
          Xiao Chen
        11. HADOOP-14445.branch-2.06.patch
          82 kB
          Xiao Chen
        12. HADOOP-14445.branch-2.05.patch
          82 kB
          Xiao Chen
        13. HADOOP-14445.branch-2.04.patch
          82 kB
          Xiao Chen
        14. HADOOP-14445.branch-2.03.patch
          83 kB
          Xiao Chen
        15. HADOOP-14445.branch-2.02.patch
          82 kB
          Xiao Chen
        16. HADOOP-14445.branch-2.01.patch
          82 kB
          Xiao Chen
        17. HADOOP-14445.branch-2.001.precommit.patch
          0.4 kB
          Xiao Chen
        18. HADOOP-14445.branch-2.000.precommit.patch
          0.4 kB
          Xiao Chen
        19. HADOOP-14445.addemdum.patch
          12 kB
          Xiao Chen
        20. HADOOP-14445.20.patch
          87 kB
          Xiao Chen
        21. HADOOP-14445.19.patch
          87 kB
          Xiao Chen
        22. HADOOP-14445.18.patch
          87 kB
          Xiao Chen
        23. HADOOP-14445.17.patch
          87 kB
          Xiao Chen
        24. HADOOP-14445.16.patch
          64 kB
          Xiao Chen
        25. HADOOP-14445.15.patch
          64 kB
          Xiao Chen
        26. HADOOP-14445.14.patch
          64 kB
          Xiao Chen
        27. HADOOP-14445.13.patch
          84 kB
          Xiao Chen
        28. HADOOP-14445.12.patch
          84 kB
          Xiao Chen
        29. HADOOP-14445.11.patch
          78 kB
          Xiao Chen
        30. HADOOP-14445.10.patch
          78 kB
          Xiao Chen
        31. HADOOP-14445.09.patch
          81 kB
          Xiao Chen
        32. HADOOP-14445.08.patch
          81 kB
          Xiao Chen
        33. HADOOP-14445.07.patch
          71 kB
          Xiao Chen
        34. HADOOP-14445.06.patch
          72 kB
          Xiao Chen
        35. HADOOP-14445.05.patch
          73 kB
          Xiao Chen
        36. HADOOP-14445.004.patch
          71 kB
          Xiao Chen
        37. HADOOP-14445.003.patch
          52 kB
          Rushabh Shah
        38. HADOOP-14445.002.patch
          38 kB
          Rushabh Shah

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15408 HADOOP-14445 broke Spark.

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15431 KMSTokenRenewer should work with KMS_DELEGATION_TOKEN which has ip:port as service

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15861 Move DelegationTokenIssuer to the right path

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15997 KMS client uses wrong UGI after HADOOP-14445

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-16199 KMSLoadBlanceClientProvider does not select token correctly

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HDFS-13430 Fix TestEncryptionZonesWithKMS failure due to HADOOP-14445

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-14134 KMSTokenRenewer should renew token from the service address in token.

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-14441 LoadBalancingKMSClientProvider#addDelegationTokens should add delegation tokens from all KMS instances

          • Major - Major loss of function.
          • Resolved
          relates to

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15414 Job submit not work well on HDFS Federation with Transparent Encryption feature

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              xiaochen Xiao Chen
              weichiu Wei-Chiu Chuang
              Votes:
              2 Vote for this issue
              Watchers:
              19 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: