hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hadoop QA (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token
Date Thu, 09 Jun 2016 18:19:20 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15323033#comment-15323033
] 

Hadoop QA commented on HADOOP-13251:
------------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m  0s{color} | {color:blue}
Docker mode activated. {color} |
| {color:red}-1{color} | {color:red} docker {color} | {color:red}  0m  6s{color} | {color:red}
Docker failed to build yetus/hadoop:2c91fd8. {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12809252/HADOOP-13251.01.patch
|
| JIRA Issue | HADOOP-13251 |
| Console output | https://builds.apache.org/job/PreCommit-HADOOP-Build/9710/console |
| Powered by | Apache Yetus 0.4.0-SNAPSHOT   http://yetus.apache.org |


This message was automatically generated.



> DelegationTokenAuthenticationHandler should detect actual renewer when renew token
> ----------------------------------------------------------------------------------
>
>                 Key: HADOOP-13251
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13251
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: kms
>    Affects Versions: 2.8.0
>            Reporter: Xiao Chen
>            Assignee: Xiao Chen
>         Attachments: HADOOP-13251.01.patch, HADOOP-13251.01.patch, HADOOP-13251.01.patch
>
>
> Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with
client side impersonation.
> In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and
pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the
MR jobs are running. But currently, the token is used at the kms server side to decide the
renewer, in which case is always the token's owner. This ends up rejecting the renew request
due to renewer mismatch.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message