Mailing-List: contact hdfs-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
Reply-To: hdfs-issues@hadoop.apache.org
Date: Thu, 25 Sep 2014 17:54:34 +0000 (UTC)
From: "Jitendra Nath Pandey (JIRA)" <jira@apache.org>
To: hdfs-issues@hadoop.apache.org
Message-ID: <JIRA.12735752.1408616241000.123485.1411667674206@Atlassian.JIRA>
In-Reply-To: <JIRA.12735752.1408616241000@Atlassian.JIRA>
References: <JIRA.12735752.1408616241000@Atlassian.JIRA>
 <JIRA.12735752.1408616241931@arcas>
Subject: [jira] [Commented] (HDFS-6904) YARN unable to renew delegation
 token fetched via webhdfs due to incorrect service port
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/HDFS-6904?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14148042#comment-14148042 ] 

Jitendra Nath Pandey commented on HDFS-6904:
--------------------------------------------

At a higher level, the issue is as follows:

It has been an assumption that a client gets a delegation token and sets the service and port at the client side. However, with a non java client using rest APIs, this assumption breaks down, because the delegation token is a base64 encoded, serialized java object. Therefore, client is unable to set the appropriate service in the token.

One possible solution:
  Provide another rest API in which the client can send a delegation token and a desired service, port and kind etc, which the server can set inside the token and return the updated token. 
  We have scenarios where a smart java client clones the token and sets different service and ports. This approach will allow a thin client as well to use tokens in a similar way.


> YARN unable to renew delegation token fetched via webhdfs due to incorrect service port
> ---------------------------------------------------------------------------------------
>
>                 Key: HDFS-6904
>                 URL: https://issues.apache.org/jira/browse/HDFS-6904
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: webhdfs
>            Reporter: Varun Vasudev
>            Assignee: Haohui Mai
>            Priority: Critical
>
> YARN is unable to renew delegation tokens obtained via the WebHDFS REST API. The scenario is as follows -
> 1. User creates a delegation token using the WebHDFS REST API
> 2. User passes this token to YARN as part of app submission(via the YARN REST API)
> 3. When YARN tries to renew this delegation token, it fails because the token service is pointing to the RPC port but the token kind is WebHDFS.
> The exception is
> {noformat}
> 2014-08-19 03:12:54,733 WARN  security.DelegationTokenRenewer (DelegationTokenRenewer.java:handleDTRenewerAppSubmitEvent(661)) - Unable to add the application to the delegation token renewer.
> java.io.IOException: Failed to renew token: Kind: WEBHDFS delegation, Service: NameNodeIP:8020, Ident: (WEBHDFS delegation token 2222 for hrt_qa)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.handleAppSubmitEvent(DelegationTokenRenewer.java:394)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.access$5(DelegationTokenRenewer.java:357)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$DelegationTokenRenewerRunnable.handleDTRenewerAppSubmitEvent(DelegationTokenRenewer.java:657)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$DelegationTokenRenewerRunnable.run(DelegationTokenRenewer.java:638)
>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: java.io.IOException: Unexpected HTTP response: code=-1 != 200, op=RENEWDELEGATIONTOKEN, message=null
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:331)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:90)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:598)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:448)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:477)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:415)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1614)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.run(WebHdfsFileSystem.java:473)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.renewDelegationToken(WebHdfsFileSystem.java:1318)
>         at org.apache.hadoop.hdfs.web.TokenAspect$TokenManager.renew(TokenAspect.java:73)
>         at org.apache.hadoop.security.token.Token.renew(Token.java:377)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$1.run(DelegationTokenRenewer.java:477)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer$1.run(DelegationTokenRenewer.java:1)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:415)
>         at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1614)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.renewToken(DelegationTokenRenewer.java:473)
>         at org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.handleAppSubmitEvent(DelegationTokenRenewer.java:392)
>         ... 6 more
> Caused by: java.io.IOException: The error stream is null.
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.jsonParse(WebHdfsFileSystem.java:304)
>         at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:329)
>         ... 24 more
> 2014-08-19 03:12:54,735 DEBUG event.AsyncDispatcher (AsyncDispatcher.java:dispatch(164)) - Dispatching the event org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppRejectedEvent.EventType: APP_REJECTED
> {noformat}
> I suspect the issue is that the Namenode generates a delegation token of kind WebHDFS but doesn't change the service port. When YARN tries to renew the delegation token, it ends up trying to contact WebHDFS on the RPC port.
> From NamenodeWebHdfsMethods.java
> {noformat}
>     case GETDELEGATIONTOKEN:
>     {
>       if (delegation.getValue() != null) {
>         throw new IllegalArgumentException(delegation.getName()
>             + " parameter is not null.");
>       }
>       final Token<? extends TokenIdentifier> token = generateDelegationToken(
>           namenode, ugi, renewer.getValue());
>       final String js = JsonUtil.toJsonString(token);
>       return Response.ok(js).type(MediaType.APPLICATION_JSON).build();
>     }
> {noformat}
> which in turn calls
> {noformat}
>   private Token<? extends TokenIdentifier> generateDelegationToken(
>       final NameNode namenode, final UserGroupInformation ugi,
>       final String renewer) throws IOException {
>     final Credentials c = DelegationTokenSecretManager.createCredentials(
>         namenode, ugi, renewer != null? renewer: ugi.getShortUserName());
>     final Token<? extends TokenIdentifier> t = c.getAllTokens().iterator().next();
>     Text kind = request.getScheme().equals("http") ? WebHdfsFileSystem.TOKEN_KIND
>         : SWebHdfsFileSystem.TOKEN_KIND;
>     t.setKind(kind);
>     return t;
>   }
> {noformat}
> The command we used to get the delegation token is -
> {noformat}
> curl -i -k -s --negotiate -u : 'http://NameNodeHost:50070/webhdfs/v1?op=GETDELEGATIONTOKEN&renewer=yarn'
> {noformat}


--
This message was sent by Atlassian JIRA
(v6.3.4#6332)