Return-Path: 
 <yarn-issues-return-42151-apmail-hadoop-yarn-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-yarn-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2B950103E9
	for <apmail-hadoop-yarn-issues-archive@minotaur.apache.org>;
 Sat, 29 Nov 2014 02:35:13 +0000 (UTC)
Received: (qmail 77172 invoked by uid 500); 29 Nov 2014 02:35:13 -0000
Delivered-To: apmail-hadoop-yarn-issues-archive@hadoop.apache.org
Received: (qmail 77131 invoked by uid 500); 29 Nov 2014 02:35:13 -0000
Mailing-List: contact yarn-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:yarn-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:yarn-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:yarn-issues@hadoop.apache.org>
List-Id: <yarn-issues.hadoop.apache.org>
Reply-To: yarn-issues@hadoop.apache.org
Delivered-To: mailing list yarn-issues@hadoop.apache.org
Received: (qmail 77120 invoked by uid 99); 29 Nov 2014 02:35:12 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 Nov 2014 02:35:12 +0000
Date: Sat, 29 Nov 2014 02:35:12 +0000 (UTC)
From: "Hadoop QA (JIRA)" <jira@apache.org>
To: yarn-issues@hadoop.apache.org
Message-ID: <JIRA.12757094.1416608048000.40140.1417228512898@Atlassian.JIRA>
In-Reply-To: <JIRA.12757094.1416608048000@Atlassian.JIRA>
References: <JIRA.12757094.1416608048000@Atlassian.JIRA>
 <JIRA.12757094.1416608048006@arcas>
Subject: [jira] [Commented] (YARN-2892) Unable to get AMRMToken in unmanaged
 AM when using a secure cluster
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/YARN-2892?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14228601#comment-14228601 ] 

Hadoop QA commented on YARN-2892:
---------------------------------

{color:red}-1 overall{color}.  Here are the results of testing the latest attachment 
  http://issues.apache.org/jira/secure/attachment/12684218/YARN-2892.patch
  against trunk revision 1556f86.

    {color:green}+1 @author{color}.  The patch does not contain any @author tags.

    {color:green}+1 tests included{color}.  The patch appears to include 1 new or modified test files.

    {color:green}+1 javac{color}.  The applied patch does not increase the total number of javac compiler warnings.

    {color:green}+1 javadoc{color}.  There were no new javadoc warning messages.

    {color:green}+1 eclipse:eclipse{color}.  The patch built with eclipse:eclipse.

    {color:green}+1 findbugs{color}.  The patch does not introduce any new Findbugs (version 2.0.3) warnings.

    {color:green}+1 release audit{color}.  The applied patch does not increase the total number of release audit warnings.

    {color:red}-1 core tests{color}.  The patch failed these unit tests in hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager:

                  org.apache.hadoop.yarn.server.resourcemanager.security.TestAMRMTokens
                  org.apache.hadoop.yarn.server.resourcemanager.scheduler.capacity.TestContainerAllocation
                  org.apache.hadoop.yarn.server.resourcemanager.TestRM

    {color:green}+1 contrib tests{color}.  The patch passed contrib unit tests.

Test results: https://builds.apache.org/job/PreCommit-YARN-Build/5950//testReport/
Console output: https://builds.apache.org/job/PreCommit-YARN-Build/5950//console

This message is automatically generated.

> Unable to get AMRMToken in unmanaged AM when using a secure cluster
> -------------------------------------------------------------------
>
>                 Key: YARN-2892
>                 URL: https://issues.apache.org/jira/browse/YARN-2892
>             Project: Hadoop YARN
>          Issue Type: Bug
>          Components: resourcemanager
>            Reporter: Sevada Abraamyan
>            Assignee: Sevada Abraamyan
>         Attachments: YARN-2892.patch, YARN-2892.patch
>
>
> An AMRMToken is retrieved from the ApplicationReport by the YarnClient. 
> When the RM creates the ApplicationReport and sends it back to the client it makes a simple security check whether it should include the AMRMToken in the report (See createAndGetApplicationReport in RMAppImpl).This security check verifies that the user who submitted the original application is the same user who is requesting the ApplicationReport. If they are indeed the same user then it includes the AMRMToken, otherwise it does not include it.
> The problem arises from the fact that when an application is submitted, the RM  saves the short username of the user who created the application (See submitApplication in ClientRmService). Afterwards when the ApplicationReport is requested, the system tries to match the full username of the requester against the previously stored short username. 
> In a secure cluster using Kerberos this check fails because the principle is stripped from the username when we request a short username. So for example the short username might be "Foo" whereas the full username is "Foo@Company.com"
> Note: A very similar problem has been previously reported ([Yarn-2232|https://issues.apache.org/jira/browse/YARN-2232])



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)