hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sevada Abraamyan (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-2892) Unable to get AMRMToken in unmanaged AM when using a secure cluster
Date Fri, 21 Nov 2014 22:14:33 GMT
Sevada Abraamyan created YARN-2892:

             Summary: Unable to get AMRMToken in unmanaged AM when using a secure cluster
                 Key: YARN-2892
                 URL: https://issues.apache.org/jira/browse/YARN-2892
             Project: Hadoop YARN
          Issue Type: Bug
          Components: resourcemanager
            Reporter: Sevada Abraamyan

An AMRMToken is retrieved from the ApplicationReport by the YarnClient. 
When the RM creates the ApplicationReport and sends it back to the client it makes a simple
security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport
in RMAppImpl).This security check verifies that the user who submitted the original application
is the same user who is requesting the ApplicationReport. If they are indeed the same user
then it includes the AMRMToken, otherwise it does not include it.

The problem arises from the fact that when an application is submitted, the RM  saves the
short username of the user who created the application (See submitApplication in ClientRmService).
Afterwards when the ApplicationReport is requested, the system tries to match the full username
of the requester against the previously stored short username. 

In a secure cluster using Kerberos this check fails because the principle is stripped from
the username when we request a short username. So for example the short username might be
"Foo" whereas the full username is "Foo@Company.com"

Note: A very similar problem has been previously reported in the past in [Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232].

This message was sent by Atlassian JIRA

View raw message