hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Xiao Chen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token
Date Fri, 24 Jun 2016 22:59:16 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Xiao Chen updated HADOOP-13251:
    Attachment: HADOOP-13251.10.patch

patch 10 to fix the failed tests.

> DelegationTokenAuthenticationHandler should detect actual renewer when renew token
> ----------------------------------------------------------------------------------
>                 Key: HADOOP-13251
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13251
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, HADOOP-13251.03.patch,
HADOOP-13251.04.patch, HADOOP-13251.05.patch, HADOOP-13251.06.patch, HADOOP-13251.07.patch,
HADOOP-13251.08.patch, HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch,
> Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with
client side impersonation.
> In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and
pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the
MR jobs are running. But currently, the token is used at the kms server side to decide the
renewer, in which case is always the token's owner. This ends up rejecting the renew request
due to renewer mismatch.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message