Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 36C37200B34 for ; Fri, 17 Jun 2016 20:03:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 33474160A4C; Fri, 17 Jun 2016 18:03:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 80E54160A61 for ; Fri, 17 Jun 2016 20:03:06 +0200 (CEST) Received: (qmail 55576 invoked by uid 500); 17 Jun 2016 18:03:05 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 55231 invoked by uid 99); 17 Jun 2016 18:03:05 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Jun 2016 18:03:05 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 547AD2C1F68 for ; Fri, 17 Jun 2016 18:03:05 +0000 (UTC) Date: Fri, 17 Jun 2016 18:03:05 +0000 (UTC) From: "Xiao Chen (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 17 Jun 2016 18:03:07 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiao Chen updated HADOOP-13251: ------------------------------- Attachment: HADOOP-13251.03.patch Patch 3 limits the request user scope to only renewer and canceler, after a sharp point brought up by ATM in an offline chat. > DelegationTokenAuthenticationHandler should detect actual renewer when renew token > ---------------------------------------------------------------------------------- > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.8.0 > Reporter: Xiao Chen > Assignee: Xiao Chen > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, HADOOP-13251.03.patch, HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org