hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zhijie Shen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2397) RM web interface sometimes returns request is a replay error in secure mode
Date Mon, 11 Aug 2014 18:36:12 GMT

    [ https://issues.apache.org/jira/browse/YARN-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14093120#comment-14093120
] 

Zhijie Shen commented on YARN-2397:
-----------------------------------

[~vvasudev], thanks for the new patch! The logic of loading the simple auth filter seems to
be still problematic:
{code}
    // if security is not enabled and the default filter initializer has not 
    // been set, set the initializer to include the
    // RMAuthenticationFilterInitializer which in turn will set up the simple
    // auth filter.

    String initializers = conf.get(filterInitializerConfKey);
    if (!UserGroupInformation.isSecurityEnabled()) {
      if (initializersClasses == null || initializersClasses.length == 0) {
        conf.set(filterInitializerConfKey,
          RMAuthenticationFilterInitializer.class.getName());
        conf.set(authTypeKey, "simple");
      } else if (initializers.equals(StaticUserWebFilter.class.getName())) {
        conf.set(filterInitializerConfKey,
          RMAuthenticationFilterInitializer.class.getName() + ","
              + initializers);
        conf.set(authTypeKey, "simple");
      }
    }
{code}

4 conditions need to be satisfied to load the kerberos+DT auth filter. Then, in the remaining
cases, the simple auth filter should be loaded, right? Or there intentionally exist the cases
neither Kerberos+DT nor simple auth filter is used? If it is the former scenario,
{code}
    if (!UserGroupInformation.isSecurityEnabled()) {
{code}
The above code will causes that any break except that of condition 1 result in no auth filter
at all.

And it still make the assumption that filter initializer can only be of auth and static user.
However, initializersClasses can contain more than that (see YARN-2277).

For the simple auth filter case, it's good to always use RMAuthenticationFilterInitializer
or the standard AuthenticationFilterInitializer. The current code will causes that AuthenticationFilterInitializer
is used under some configuration setup while RMAuthenticationFilterInitializer is used under
the others.

> RM web interface sometimes returns request is a replay error in secure mode
> ---------------------------------------------------------------------------
>
>                 Key: YARN-2397
>                 URL: https://issues.apache.org/jira/browse/YARN-2397
>             Project: Hadoop YARN
>          Issue Type: Bug
>            Reporter: Varun Vasudev
>            Assignee: Varun Vasudev
>            Priority: Critical
>         Attachments: apache-yarn-2397.0.patch, apache-yarn-2397.1.patch
>
>
> The RM web interface sometimes returns a request is a replay error if the default kerberos
http filter is enabled. This is because it uses the new RMAuthenticationFilter in addition
to the AuthenticationFilter. There is a workaround to set "yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled"
to false. This bug is to fix the code to use only the RMAuthenticationFilter and not both.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message