Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 9C4B1200B56 for ; Sat, 25 Jun 2016 00:59:18 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 9AD09160A58; Fri, 24 Jun 2016 22:59:18 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E475C160A62 for ; Sat, 25 Jun 2016 00:59:17 +0200 (CEST) Received: (qmail 76777 invoked by uid 500); 24 Jun 2016 22:59:16 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 76381 invoked by uid 99); 24 Jun 2016 22:59:16 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Jun 2016 22:59:16 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 313922C1F69 for ; Fri, 24 Jun 2016 22:59:16 +0000 (UTC) Date: Fri, 24 Jun 2016 22:59:16 +0000 (UTC) From: "Xiao Chen (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-13251) DelegationTokenAuthenticationHandler should detect actual renewer when renew token MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 24 Jun 2016 22:59:18 -0000 [ https://issues.apache.org/jira/browse/HADOOP-13251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Xiao Chen updated HADOOP-13251: ------------------------------- Attachment: HADOOP-13251.10.patch patch 10 to fix the failed tests. > DelegationTokenAuthenticationHandler should detect actual renewer when renew token > ---------------------------------------------------------------------------------- > > Key: HADOOP-13251 > URL: https://issues.apache.org/jira/browse/HADOOP-13251 > Project: Hadoop Common > Issue Type: Bug > Components: kms > Affects Versions: 2.8.0 > Reporter: Xiao Chen > Assignee: Xiao Chen > Attachments: HADOOP-13251.01.patch, HADOOP-13251.02.patch, HADOOP-13251.03.patch, HADOOP-13251.04.patch, HADOOP-13251.05.patch, HADOOP-13251.06.patch, HADOOP-13251.07.patch, HADOOP-13251.08.patch, HADOOP-13251.08.patch, HADOOP-13251.09.patch, HADOOP-13251.10.patch, HADOOP-13251.innocent.patch > > > Turns out KMS delegation token renewal feature (HADOOP-13155) does not work well with client side impersonation. > In a MR example, an end user (UGI:user) gets all kinds of DTs (with renewer=yarn), and pass them to Yarn. Yarn's resource manager (UGI:yarn) then renews these DTs as long as the MR jobs are running. But currently, the token is used at the kms server side to decide the renewer, in which case is always the token's owner. This ends up rejecting the renew request due to renewer mismatch. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org For additional commands, e-mail: common-issues-help@hadoop.apache.org