hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harsh J (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-3021) YARN's delegation-token handling disallows certain trust setups to operate properly
Date Thu, 08 Jan 2015 22:02:35 GMT
Harsh J created YARN-3021:
-----------------------------

             Summary: YARN's delegation-token handling disallows certain trust setups to operate
properly
                 Key: YARN-3021
                 URL: https://issues.apache.org/jira/browse/YARN-3021
             Project: Hadoop YARN
          Issue Type: Bug
          Components: security
    Affects Versions: 2.3.0
            Reporter: Harsh J


Consider this scenario of 3 realms: A, B and COMMON, where A trusts COMMON, and B trusts COMMON
(one way trusts both), and both A and B run HDFS + YARN clusters.

Now if one logs in with a COMMON credential, and runs a job on A's YARN that needs to access
B's HDFS (such as a DistCp), the operation fails in the RM, as it attempts a renewDelegationToken(…)
synchronously during application submission (to validate the managed token before it adds
it to a scheduler for automatic renewal). The call obviously fails cause B realm will not
trust A's credentials (here, the RM's principal is the renewer).

In the 1.x JobTracker the same call is present, but it is done asynchronously and once the
renewal attempt failed we simply ceased to schedule any further attempts of renewals, rather
than fail the job immediately.

We should change the logic such that we attempt the renewal but go easy on the failure and
skip the scheduling alone, rather than bubble back an error to the client, failing the app
submission. This way the old behaviour is retained.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message