ChenSammi commented on code in PR #7394:
URL: https://github.com/apache/ozone/pull/7394#discussion_r1837450725
##########
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.java:
##########
@@ -195,9 +209,15 @@ public Token<OzoneTokenIdentifier> createToken(Text owner,
Text renewer,
OzoneTokenIdentifier identifier = createIdentifier(owner, renewer,
realUser);
updateIdentifierDetails(identifier);
-
- byte[] password = createPassword(identifier.getBytes(),
- getCurrentKey().getPrivateKey());
+ byte[] password;
+ if
(ozoneManager.getVersionManager().isAllowed(OMLayoutFeature.DELEGATION_TOKEN_SYMMETRIC_SIGN))
{
Review Comment:
The token signed by symmetric keys and token signed by asymmetric keys are
incompatible at server side. Delegation tokens are relatively long lived
token, default 7d. If a client get a delegation signed by symmetric keys after
OM upgrade but before finalize, later this OM upgrade is cancelled, then when
the token client held sent to the OM again after downgrade, it cannot be
verified by OM, client execution will fail. All type of tokens are opaque to
client. The new DELEGATION_TOKEN_SYMMETRIC_SIGN layout is introduced to handle
the compatibility between lower version of OM and high version of OM.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
