hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-2798) YarnClient doesn't need to translate Kerberos name of timeline DT renewer
Date Mon, 03 Nov 2014 20:52:35 GMT

    [ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14195062#comment-14195062
] 

Hudson commented on YARN-2798:
------------------------------

FAILURE: Integrated in Hadoop-trunk-Commit #6426 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/6426/])
YARN-2798. Fixed YarnClient to populate the renewer correctly for Timeline delegation tokens.
Contributed by Zhijie Shen. (vinodkv: rev 71fbb474f531f60c5d908cf724f18f90dfd5fa9f)
* hadoop-yarn-project/CHANGES.txt
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/main/java/org/apache/hadoop/yarn/client/api/impl/YarnClientImpl.java
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/security/TestYARNTokenIdentifier.java
* hadoop-yarn-project/hadoop-yarn/hadoop-yarn-client/src/test/java/org/apache/hadoop/yarn/client/api/impl/TestYarnClient.java


> YarnClient doesn't need to translate Kerberos name of timeline DT renewer
> -------------------------------------------------------------------------
>
>                 Key: YARN-2798
>                 URL: https://issues.apache.org/jira/browse/YARN-2798
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineserver
>            Reporter: Arpit Gupta
>            Assignee: Zhijie Shen
>            Priority: Blocker
>         Attachments: YARN-2798.1.patch, YARN-2798.2.patch
>
>
> Now YarnClient will automatically get a timeline DT when submitting an app in a secure
mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating
system user. However, the RM principal and auth_to_local may not be properly presented to
the client, and the client cannot translate the principal to the daemon user properly. On
the other hand, AbstractDelegationTokenIdentifier will do this translation when create the
token. However, since the client has already translated the full principal into a short user
name (which may not be correct), the server can no longer apply the translation any more,
where RM principal and auth_to_local are always correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message