hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Vasudev (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (YARN-2232) ClientRMService doesn't allow delegation token owner to cancel their own token
Date Mon, 30 Jun 2014 11:57:24 GMT

     [ https://issues.apache.org/jira/browse/YARN-2232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Varun Vasudev updated YARN-2232:
--------------------------------

    Description: 
The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens. The
root cause is this piece of code from the cancelDelegationToken function -
{noformat}
String user = getRenewerForToken(token);
...

private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws IOException
{
  UserGroupInformation user = UserGroupInformation.getCurrentUser();
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  // we can always renew our own tokens
  return loginUser.getUserName().equals(user.getUserName())
      ? token.decodeIdentifier().getRenewer().toString()
      : user.getShortUserName();
}
{noformat}

It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken
expects the full user name. This bug occurs in secure mode and is not an issue with simple
auth.

  was:
The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens. The
root cause is this piece of code from the cancelDelegationToken function -
{noformat}
String user = getRenewerForToken(token);
...

private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws IOException
{
  UserGroupInformation user = UserGroupInformation.getCurrentUser();
  UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
  // we can always renew our own tokens
  return loginUser.getUserName().equals(user.getUserName())
      ? token.decodeIdentifier().getRenewer().toString()
      : user.getShortUserName();
}
{noformat}

It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken
expects the full user name.


> ClientRMService doesn't allow delegation token owner to cancel their own token
> ------------------------------------------------------------------------------
>
>                 Key: YARN-2232
>                 URL: https://issues.apache.org/jira/browse/YARN-2232
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>         Attachments: apache-yarn-2232.0.patch
>
>
> The ClientRMSerivce doesn't allow delegation token owners to cancel their own tokens.
The root cause is this piece of code from the cancelDelegationToken function -
> {noformat}
> String user = getRenewerForToken(token);
> ...
> private String getRenewerForToken(Token<RMDelegationTokenIdentifier> token) throws
IOException {
>   UserGroupInformation user = UserGroupInformation.getCurrentUser();
>   UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
>   // we can always renew our own tokens
>   return loginUser.getUserName().equals(user.getUserName())
>       ? token.decodeIdentifier().getRenewer().toString()
>       : user.getShortUserName();
> }
> {noformat}
> It ends up passing the user short name to the cancelToken function whereas AbstractDelegationTokenSecretManager::cancelToken
expects the full user name. This bug occurs in secure mode and is not an issue with simple
auth.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message