Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2E059200B38 for ; Fri, 24 Jun 2016 04:11:18 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2C7FF160A59; Fri, 24 Jun 2016 02:11:18 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 76002160A68 for ; Fri, 24 Jun 2016 04:11:17 +0200 (CEST) Received: (qmail 14668 invoked by uid 500); 24 Jun 2016 02:11:16 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 14650 invoked by uid 99); 24 Jun 2016 02:11:16 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Jun 2016 02:11:16 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 6C7032C1F5C for ; Fri, 24 Jun 2016 02:11:16 +0000 (UTC) Date: Fri, 24 Jun 2016 02:11:16 +0000 (UTC) From: "Xiao Chen (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 24 Jun 2016 02:11:18 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiao Chen updated HADOOP-13251: ------------------------------- Attachment: HADOOP-13251.07.patch > DelegationTokenAuthenticationHandler should detect actual renewer when renew token > ---------------------------------------------------------------------------------- > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.8.0 > Reporter: Xiao Chen > Assignee: Xiao Chen > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org