Return-Path: 
 <yarn-issues-return-40139-apmail-hadoop-yarn-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BF1F910BF0
	for <apmail-hadoop-yarn-issues-archive@minotaur.apache.org>;
 Mon,  3 Nov 2014 19:46:34 +0000 (UTC)
Received: (qmail 85925 invoked by uid 500); 3 Nov 2014 19:46:34 -0000
Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org
Received: (qmail 85874 invoked by uid 500); 3 Nov 2014 19:46:34 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Reply-To: yarn-issues@hadoop.apache.org
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 85862 invoked by uid 99); 3 Nov 2014 19:46:34 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Nov 2014 19:46:34 +0000
Date: Mon, 3 Nov 2014 19:46:34 +0000 (UTC)
From: "Zhijie Shen (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12752325.1414959280000.401067.1415043994368@Atlassian.JIRA>
In-Reply-To: <JIRA.12752325.1414959280000@Atlassian.JIRA>
References: <JIRA.12752325.1414959280000@Atlassian.JIRA>
 <JIRA.12752325.1414959280219@arcas>
Subject: [jira] [Commented] (YARN-2798) YarnClient doesn't need to translate
 Kerberos name of timeline DT renewer
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/YARN-2798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14194982#comment-14194982 ] 

Zhijie Shen commented on YARN-2798:
-----------------------------------

I don't have a quick setup for RM HA and secure cluster, but the mapping rule is applied every where in this cluster, I think it should work fine.

> YarnClient doesn't need to translate Kerberos name of timeline DT renewer
> -------------------------------------------------------------------------
>
>                 Key: YARN-2798
>                 URL: https://issues.apache.org/jira/browse/YARN-2798
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: timelineserver
>            Reporter: Arpit Gupta
>            Assignee: Zhijie Shen
>            Priority: Blocker
>         Attachments: YARN-2798.1.patch, YARN-2798.2.patch
>
>
> Now YarnClient will automatically get a timeline DT when submitting an app in a secure mode. It will try to parse the yarn-site.xml/core-site.xml to get the RM daemon operating system user. However, the RM principal and auth_to_local may not be properly presented to the client, and the client cannot translate the principal to the daemon user properly. On the other hand, AbstractDelegationTokenIdentifier will do this translation when create the token. However, since the client has already translated the full principal into a short user name (which may not be correct), the server can no longer apply the translation any more, where RM principal and auth_to_local are always correct.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)